BP.05.001 - Business Practice for Information Asset Ownership
Table of Contents
- Business Practice
- Business Practice Number: BP.05.001
- Version: 2
- Drafted By: Neal Fisch
- Approved By: Michael Berman
- Approval Date: 03/07/2013
- Latest Revision Date: 08/12/2013
Describe the responsibilities of designated information asset owners.
Channel Islands must develop and maintain a data classification standard that meets or exceeds the CSU Data Classification Standard. Campuses must maintain an inventory of information assets containing level 1 or level 2 data as defined in the CSU Data Classification Standard. These assets must be categorized and protected throughout their entire life cycle, from origination to destruction. These assets must have a designated owner whose responsibilities include classification, security requirements and management of their designated information assets.
Business Practice [top]
VP for Technology & Communication (CIO)
Information Security Officer (ISO)
All designated information asset owners, all University consumers of information assets who have access to level 1 and level 2 confidential data.
- Information Asset - An information asset is stored information that is considered “valuable” by an organization.
- Information Asset Owner – The party(ies) responsible for managing an information asset including defining the security requirements that are proportionate to the value of the information asset.
Each campus must develop and maintain a data classification standard that meets or exceeds the requirements of the CSU Data Classification Standard.
Campuses must maintain an inventory of information assets containing level 1 or level 2 data as defined in the CSU Data Classification Standard. These assets must be categorized and protected throughout their entire life cycle, from origination to destruction.
The designated owner of information assets that store protected data is responsible for:
- Classifying the information asset according to the campus Data Classification Standard.
- Defining security requirements that are proportionate to the value of the information asset.
- Managing the information asset according to the requirements described in the campus Information Asset Management Standard and the CSU Records Retention Schedule.
Critical or protected data must not be transferred to another individual or system without approval of the designated data owner. Before critical or protected data is transferred to a destination system, the data owner should establish agreements to ensure that authorized users implement appropriate security measures.
Delegation of Authority
Designated data owners may delegate signature authority for approval of data usage or data access. Requests for delegation of authority for data ownership are to be directed to the Information Security Officer. Signed requests delegating signature authority will be retained by the Information Security Office and assessed annually by the Information Security Officer and the designated data owner.
Assessment History [top]
|Review of business practice.||Annual||Information Security Officer|