The purpose of the XXX’s Information Asset Management Policy is to establish the rules for the control of hardware, software, applications, and information used by XXX
The scope of this policy extends to all XXX departments, employees, third parties, vendors and partners who utilize or who are responsible for the development, management and maintenance of all XXX’s information assets. The XXX’s Information Asset Management Policy applies to individuals who are responsible for the use, purchase, implementation, management, and/or maintenance of XXX information resources.
The XXX categorises information assets as:
- Information and Information Systems:
- Data files
- Hardcopy documents
- User guides
- Training material
- Policies, Procedures
- Business Continuity plans
- Financial Data
- System software
- Development software
- Utilities software
- Computer equipment
- Communications equipment
- Portable and local Media – storage and recording
- Property and accommodation
- Utilities (power. lighting, environmental controls)
3 Some terms used
3.1 Information Asset Owner
The owners of an information asset are those individuals who have primary responsibility for the viability and suitability of the asset. The owner is a senior person within an organization with sufficient authority and officially designated as accountable for a specific business process / function within an organization. The owner must determine what information assets are they responsible for. The responsibility is not restricted to the information systems within their domain and should go beyond in defining the information that needs to be managed within those systems. Such information may include Personally Identifiable Information (PII) along with critical business data in both electronic and non-electronic formats. It is the owner’s responsibility to set the security requirements for information assets and communicate those requirements to all of the assets’ custodians. Owners are also responsible to assess these requirements from time to time based on the changing threat profiles and / or the value of information with passage of time. Owners should ensure that the defined security requirements are implemented and maintained by the data custodians. Further, the effectiveness of the controls implemented should be assessed at regular intervals (e.g. through audits). An owner may delegate these security responsibilities, but the owner remains ultimately responsible for the protection of the asset.
3.2 Custodian of an Information Asset
The term “custodian” refers to any individual in the organization who has the responsibility to protect an information asset as it is stored, transported, or processed in line with the requirements defined by the information asset owner. “Custodians” includes users from the Information Technology / Information Security function along with the staff who may be responsible for transporting information (e.g. paper records / CDs / USBs etc) from one place to another or even the facilities or security staff who may have physical access to information processing and storing facilities. Certain roles within the organization such as IT staff with administrative / root privileges may have unlimited access to the agency’s information system, these are critical roles and sufficient controls and procedures must be developed for such privileged access. Data Users also have a critical role to protect and maintain an organization’s information systems and data. For the purpose of information security, a Data User is any employee, contractor or third-party provider who is authorized by the Data Owner to access information assets. At times, the data custodian may play the role of a trusted advisor to the owner advising him on the risks and controls suitable for the information asset. However, the ultimate responsibility lies with the Owner and in no circumstances, the data custodian shall deem the role of an owner.
3.3 Risks to Information Assets
An Information Asset Owner should assess the risks to the information assets and ensure adequate controls to protect against:
- Loss of Confidentiality: Inappropriate access to, or disclosure of, protectively marked or personal data by Data users, public and / or malicious actors, whether accidental or deliberate
- Loss of Integrity: Data users acting in error or deliberately, or external parties accessing your information illegally, acting maliciously to compromise the integrity of your data with an intention to defraud you or your customers or to cause reputation damage to your organization
- Loss of Availability: This could be either temporary or permanent.
- Information loss – particularly during transfer or movement of information, or because of business change (mergers, acquisitions, restructuring).
- Loss of access to information due to system / network outages caused due to errors or deliberate actions.
- Loss of digital continuity – i.e. losing the ability to use your information in the way required when needed. By use we mean being able to find, open, work with, understand and trust your information. The lifecycle of a piece of information – how long you need to use and keep it – is often different to the lifecycle of the IT system used to access and support it.
- Information Currency: Business needs change, systems change, the value of an information asset may change or the organization’s information risk appetite may change. An organization’s processes should be agile to manage the information security of the asset in accordance to the changing business environment.
4 Policy Statement
The XXX’s Information Governance Group (IGG) co-ordinates responsibility for the management of information assets by appointing nominated information asset owners across departments. All identified information assets must be recorded and managed by information asset owners in accordance with the XXX’s Information Security Management System. The XXX must take the following steps to ensure all information assets are appropriately identified, recorded and maintained:
4.1 Information and Information Systems
Information held and maintained by the XXX can either be in hard copy form stored in physical locations, filing systems, office locations or stored electronically using software and electronic backup systems.
Types of Information and Information Systems assets:
- Databases – Access to these must be given to authorised employees only and logs should be maintained to record all access to and changes made to any data held within any database system.
- Data files – Access to any data file(s) must be given to authorised employees only and logs must be maintained to record all access to and changes made to any data held within database systems.
- Hard copy documents – All hard copy documents containing sensitive and personal information must be accessed, processed, maintained and securely stored in accordance with the XXX’s Information Safe Haven guidance. Restricted hard copy documents requiring controlled access must have a signing in/out record maintained wherever appropriate.
- User guides – All user guides which assist and aid in the understanding of processes, procedures or systems should be safely stored and should be easily and readily accessible to all relevant employees – wherever possible. Guides which exist only in physical form should be digitised to include an electronic version which can be stored electronically on the XXX’s ICT Network.
- Notebooks – Information contained in notebooks which are used to record sensitive or personal information must be transferred to secure information systems as soon as possible and either the pages or entire notebook must be securely destroyed once the information has been transferred.
- Training material – All relevant training material(s) must be stored and made readily accessible to all relevant employees. Duplication or physical reproduction of training manuals must be kept to a minimum and avoided wherever possible.
- Policies and Procedures – All XXX Policies and Procedures should be made available and disseminated via the XXX’s main website. All original copies of Policies and Procedures documents whether electronic or hardcopy must be safely stored, regularly reviewed and a version history control record must be maintained for each document to ensure they are up to date.
- Business Continuity plans – All Business Continuity plans must be regularly reviewed, disseminated to appropriate employees and stored safely for easy retrieval as and when necessary.
- Financial Data – Data and Information relating to XXX financial data must be restricted to authorized employees only. Recording mechanisms must be in place for logging access, changes and use of financial data and information.
Computer and IT systems software is widely used across the XXX and is vital to the day to day running of the XXX .The use of software has continued to change the way the XXX works. Substantial investment has been made in Software along with accompanying ongoing costs and expenditure such as annual software/systems support, licensing and staff training.
- Applications – Software used by the XXX must be appropriately sourced using XXX approved suppliers and must be evaluated for business need, suitability, efficiency, and ease of use, cost effectiveness and integration into existing XXX systems. All software approved for use by the XXX must be recorded on an approved software list. Appropriate numbers of software licenses must be purchased to cover volume of use and to satisfy legal requirements. Software media must be stored (physically and electronically) in a secure, centralized location along with software installation codes and registration numbers. Access to software media by employees must be controlled and limited to authorized employees only. A record must be maintained of all installations of software, licensing volumes SLA documentation and references in a centralized location where access is provided to authorize employees only. A signing in/out system should be used for controlling the use of physical software media.
- System software – Server/system software such as Operating Systems, must be evaluated for business need, suitability, efficiency, cost effectiveness and integration into existing XXX systems. Operating System installation media must be stored in a secure, centralized location along with installation codes. Access to Server/system software media by employees must be controlled and limited to authorized employees only. A record must be maintained of all installations of software, licensing volumes SLA documentation and references in a centralized location where access is provided to authorize employees only. A signing in/out system should be used for controlling the use of physical software media. Backups of complete Server/systems installations must be routinely carried out for disaster recovery purposes. Installation, configuration and maintenance of Server/system software must only be undertaken by employees who are trained and qualified to do so.
- Development software – software for the support of existing systems and for the development of in-house solutions must follow the same processes for procurement and use as for the applications and Server/systems software. Development software should only be used by employees who are trained or who are undergoing training to use the development software.
All types of software (with the exception of routine security updates and patches verified by software vendors) must go through agreed purchasing procedures and must be recorded on a XXX approved software list. Where the software is used in the storing, handling, processing or retention of data including personal data relating to the XXX’s information or services commissioned by the XXX, then the purchasing procedure should follow the guidelines contained within the XXX’s ‘Supplier Information Security Policy’ and approved by the Director of Finance and ICT Services in line with the ‘Protocol for the Approval of new Systems or Changes to Existing Systems by the Director of Finance’.
The XXX’s most visible information assets are those which are physically located throughout the XXX such as computers, printers and phones etc. Offices and buildings must also be considered as information assets – providing location for the housing and installation of the XXX’s ICT Data and Communications Network infrastructure and physically stored documents and information.
- Computer equipment – A large number of computing devices are in use across the XXX. Computers are one of the most costly single items of equipment and must be subject to controls from procurement to disposal. The XXX must be able to track all activity and use relating to all XXX computing devices using various means such as via the computer network and/or using logging systems such as signing in and out and other such recording mechanisms. All computers must be allocated a unique asset tag number which is recorded against the manufacturer’s serial number and model which should never be altered or exchanged with any other computer. Throughout its life, a computer may be subject to hardware upgrades, new software installations, configuration changes and maintenance and all such activity must be appropriately recorded, maintained and updated by the ICT Service.
- Communications equipment – Mobile and office phones are widely used communications devices across the XXX. Other network and communications devices identified as information assets include routers, switches, video conferencing equipment etc. Along with computing equipment, these devices must be allocated an asset tag number. All communications equipment must be identified, recorded and appropriately maintained by the ICT Service.
- Portable, local media storage – Media such as CD/DVDs, Magnetic tape, flash/portable hard disks are valuable information assets because they are used to save and retrieve XXX information and data. Irrespective of the information stored on them, all such media must be classified and handled as ‘RESTRICTED’ in accordance with the XXX’s Information Classification and Handling Policy. The portable nature of this type of media requires responsible use and adherence to all XXX policies, procedures and processes which are in place for the protection of information and data. Appropriate labelling and recording mechanisms should be in place to ensure the safety and integrity of media – enabling tracking of essential media such as for data backups e.g. media required to carry out data/file restores must be signed in and out from a secure location. Portable media must be used in accordance with the XXX’s Encryption & Cryptographic Controls Policy, Desktop and Mobile Device Procedures and Data Protection and Storage Media Handling Procedures. All physical computer, communications and storage media/devices must go through purchasing procedures and must be recorded on a XXX approved hardware inventory.
- Property and accommodation – The XXX’s Corporate Asset Management Plan provides comprehensive information relating to buildings and property as information assets. ICT equipment along with Data and Network Communications infrastructure equipment is housed in many buildings and property owned by the XXX and is therefore subject to the Corporate Asset Management Plan
- Communications – It is vital for the XXX to maintain its ability to communicate in many different forms. Communications equipment must be maintained and clear processes, policies and procedures for the provision of this service must be in place. E-mail is also a vital means of communication and as such, requires a robust, reliable infrastructure to enable the XXX to communicate effectively and reliably, both internally and externally.
- Utilities (power. lighting, environmental controls) – These services are information assets as they provide fundamental requirements for the XXX to function appropriately, safely and effectively. It is essential that property maintenance and inspections are routinely carried out and that employees are proactive in reporting faults, whenever noted, to the XXX’s Property Services division.
The XXX cannot function without its workforce – it is its largest asset. The provision of good public services requires XXX employees to have the necessary skills, knowledge and ability to work within many different areas and departments across the XXX. The number of unique functions and specialisms across the XXX requires a varied knowledge and skills base which must be supported by robust recruitment processes, appropriate training provision and good management of employee skill identification, work placement and allocation.
- Knowledge and Experience – The XXX has a great pool of employees who have a wide knowledge and experience base to draw on and as such, is a valuable information asset.
- Skills – All XXX employees must possess the necessary skills and ability to do their jobs.
Reputation – The XXX is very aware that public perception and confidence in its ability to deliver effective, efficient public services is of the utmost importance. Reputation is an asset which promotes confidence and generates support in what the XXX is trying to achieve. The XXX takes its reputation seriously and proactively engages to develop policies and procedures along with a consistent approach in maintaining and presenting the right image. The XXX encourages good reputation and is assisted by:
- Good working practices
- Corporate Image Branding
- Public Consultation
4.7 Information Classification and Handling
All XXX information has a value to the organization, however not all of the information has an equal value or requires the same level of protection. Being able to identify the value of information assets is key to understanding the level of security that they require. The XXX maintains an Information Classification and handling scheme which involves grouping information and categorizing content to establish the most appropriate way of handling, storing, retrieving and to determine who is authorized to access particular Information. All information in both electronic and physical forms must be categorized using either ‘PUBLIC’, ‘CONTROLLED’ or ‘RESTRICTED’ and must be appropriately labelled.
Any information that is not specifically marked as being ‘RESTRICTED’ or ‘CONTROLLED’ will be deemed to be ‘PUBLIC’. Where information is grouped together, the highest classification must be applied to all information in the group. The XXX’s information classification and handling policy and procedures provide further information
4.8 Guidelines for an Information Asset Owner
Information asset owner are individuals who are responsible and accountable for the information assets within an organization. Information asset owners shall define the controls necessary for the information asset and work with information custodians to ensure that they are implemented and effective.
- Classification: Asset owner should support the ISM in the task of asset classification by explaining the need and importance for all information asset assigned under his /her responsibility.
- Labelling: Asset owner SHOULD identify the appropriate labels for all assets as per their classification to support the Need-To-Know requirement and data labelling education and awareness for the staff, employees and contractors.
- Controls allocation: Owner SHOULD ensure the application of all baseline controls to all classified assets. Additional, stronger controls MAY be applied, if necessary and based on the risk assessment conducted. The controls shall consistently protect the Information Asset throughout their life cycle.
- Access Control and Physical Security: Asset Owner must authorize access to only those who have a business need for the information, and ensure that access is removed for those who no longer have a business need for the information. The Access control shall include physical as well as logical access to the information asset. The controls shall be chosen based on an assessment of risk.
- Logging & Security Monitoring: The asset owner shall identify suitable technical controls and processes to log and monitor systems for potential malicious activities or system disruptions.
- Awareness: The asset owner shall ensure that all personnel having access to the information asset are aware of the organization’s security requirements and any legal or regulatory responsibilities.
- Retention & Archival: The asset owner shall determine and document the retention periods of information assets governed by the organization’s policies and regulatory requirements.
- Incident Handling: The asset owner shall be responsible for the information asset. Any incident that compromises the confidentiality, integrity or availability of data should be reported and managed.
- Business Continuity: The information asset owner shall ensure the availability of information as and when required for the continuance of business.
- Ensure compliance: The asset owner shall ensure that the information asset is secured in compliance with the organizational security policy and state of Qatar laws and regulations.
4.9 Guidelines for the Information Asset Custodian
Information asset custodians are individuals in physical or logical possession of information. Information asset custodians are expected to work with information asset owners to gain a better understanding of these requirements. The information security controls implemented by the custodian must be documented and shared with the asset owner.
4.9.1 Information Technology Manager (IT Function)
- Classification: Assist the Asset owner along with the ISM in the task of asset classification.
- Labelling: Implement the data labeling as identified by the Asset owner. Advise the owner on technical limitations if any and possible technical mitigating solutions.
- Controls allocation: Identify and apply all controls (baseline and additional) to all information assets to protect the confidentiality, integrity, and availability of the information asset. The controls shall consistently protect the Information Asset throughout their life cycle.
- Access Control and Physical Security: Implement the necessary processes and controls to manage access control to information assets. Access shall be provided to only those who have a business need for the information, and ensure that access is removed for those who no longer have a business need for the information. The Access control shall include physical as well as logical access to the information asset. The controls shall be chosen based on an assessment of risk.
- Logging & Security Monitoring: Implement suitable technical controls and processes to log and monitor systems for potential malicious activities or system disruptions.
- Retention & Archival: Design and implement systems that shall ensure that information assets and the information life cycle are managed in line with the document retention policy.
- Incident Handling: Implement procedures for managing incidents. This should include incident reporting and incident response.
- Business Continuity: Design and implement the necessary procedures and controls to ensure the availability of information as and when required for the continuance of business.
4.9.2 Information Security Manager (Information Security Function)
- Information Governance: The Information Security Manager will manage the information security program of the organization. The ISM will develop information security policies to ensure that the organization’s information assets are secured adequately in line with the Information owner requirements and corporate policies and national regulations such as NIA Policy, Information Privacy Protection Law and Cyber crime law amongst others. IG and AC
- Information Classification: Assist the information owner in identifying assets and classifying them. The ISM should also assist the information asset owner and the ITM in selecting appropriate controls to provide the necessary assurance to information asset owners.
- Controls: Ensure the application of all baseline controls to all information assets.
- Risk Management: Conduct a Risk assessment in association with the information asset owner and prepare an appropriate Risk treatment plan. Monitor the effectiveness of risk treatment processes and plans periodically.
- Awareness: Design and deliver an information security awareness to all personnel having access to the information assets. The awareness shall elevate among the users an understanding of the organization’s security requirements and any legal or regulatory responsibilities.
- Incident Management: Define an Incident Management policy and necessary procedures. Work with the ITM to detect, respond and contain incidents. Inform and report senior management about critical incidents.
- Maintain co-ordination with government and law enforcement agencies to report and manage critical incidents.
4.9.3 Guidelines for Data User
- Information Governance: The Data user shall be responsible for the information assets (systems / infrastructure) provided to them to carry out their official responsibilities.
- Information Classification: The Data User shall adhere to the information classification scheme approved by the management and maintain the classification (label) provided by the information asset owner.]
5 Acceptable Use of Assets
All XXX departments, employees, elected members, contractors, vendors and partner agencies must observe and abide by all Acceptable Use policies and procedures pertaining to all XXX owned information assets.
6 Breaches of Policy
Breaches of this policy and/or security incidents can be defined as events which could have, or have resulted in, loss or damage to XXX assets, or an event which is in breach of the XXX’s security procedures and policies. All XXX employees, elected members, partner agencies, contractors and vendors have a responsibility to report security incidents and breaches of this policy as quickly as possible through the XXX’s Incident Reporting Procedure. This obligation also extends to any external organization contracted to support or access the Information Systems of the XXX. The XXX will take appropriate measures to remedy any breach of the policy and its associated procedures and guidelines through the relevant frameworks in place. In the case of an individual then the matter may be dealt with under the disciplinary process.
Example of Information Asset Register Format
|S.No.||Asset Name||Category||Confidentiality||Integrity||Availability||Aggregate Security Level||Label||Group/ Department||Owner||Contact Details||Support Contact Details|