BP.05.001 - Business Practice for Information Asset Ownership

Printable Version in PDF Format (Get Adobe Acrobat)

Table of Contents

• History
• Purpose
• Background
• Business Practice
  • Accountability
  • Applicability
  • Definition(s)
  • Text
• Exhibit(s)
  • Assessment History

History [top]

• Business Practice Number: BP.05.001
• Version: 2
• Drafted By: Neal Fisch
• Approved By: Michael Berman
• Approval Date: 03/07/2013
• Latest Revision Date: 11/22/2013

Purpose [top]

Describe the responsibilities of designated information asset owners.

Background [top]

Channel Islands must develop and maintain a data classification standard that meets or exceeds the CSU Data Classification Standard. Campuses must maintain an inventory of information assets containing level 1 or level 2 data as defined in the CSU Data Classification Standard.  These assets must be categorized and protected throughout their entire life cycle, from origination to destruction. These assets must have a designated data steward whose responsibilities include  classification, security requirements and management of their designated information assets.

Business Practice [top]

Accountability [top]

VP for Information Technology Services (CIO)

Information Security Officer (ISO)

Applicability [top]

All designated information asset stewards, all University consumers of information assets who have access to level 1 and level 2 confidential data.

Definition(s) [top]

1. Information Asset - An information asset is stored information that is considered “valuable” by an organization.
2. Information Asset Steward – The party(ies) responsible for managing an information asset including defining the security requirements that are proportionate to the value of the information asset.

Text [top]

General

Each campus must develop and maintain a data classification standard that meets or exceeds the requirements of the CSU Data Classification Standard. 

Campuses must maintain an inventory of information assets containing level 1 or level 2 data as defined in the CSU Data Classification Standard.  These assets must be categorized and protected throughout their entire life cycle, from origination to destruction.

The designated steward of information assets that store protected data is responsible for:

1. Classifying the information asset according to the campus Data Classification Standard.
2. Defining security requirements that are proportionate to the value of the information asset.
3. Managing the information asset according to the requirements described in the campus Information Asset Management Standard and the CSU Records Retention Schedule.

Critical or protected data must not be transferred to another individual or system without approval of the designated data steward. Before critical or protected data is transferred to a destination system, the data steward should establish agreements to ensure that authorized users implement appropriate security measures.

Delegation of Authority

Designated data stewards may delegate signature authority for approval of data usage or data access.  Requests for delegation of authority for data stewardship are to be directed to the Information Security Officer.  Signed requests delegating signature authority will be retained by the Information Security Office and assessed annually by the Information Security Officer and the designated data steward.

Exhibit(s) [top]

Designated data stewards by data category.

Assessment History [top]