BP.05.001 - Business Practice for Information Asset Ownership

Printable Version in PDF Format (Get Adobe Acrobat)

Table of Contents

History [top]

  • Business Practice Number: BP.05.001
  • Version: 1
  • Drafted By: Neal Fisch
  • Approved By: Michael Berman
  • Approval Date: 03/07/2013
  • Latest Revision Date:

Purpose [top]

Describe the responsibilities of designated information asset owners.

Background [top]

Channel Islands must develop and maintain a data classification standard that meets or exceeds the CSU Data Classification Standard. Campuses must maintain an inventory of information assets containing level 1 or level 2 data as defined in the CSU Data Classification Standard.  These assets must be categorized and protected throughout their entire life cycle, from origination to destruction. These assets must have a designated owner whose responsibilities include  classification, security requirements and management of their designated information assets.

Business Practice [top]

Accountability [top]

VP for Technology & Communication (CIO)

Information Security Officer (ISO)

Applicability [top]

All designated information asset owners, all University consumers of information assets who have access to level 1 and level 2 confidential data.

Definition(s) [top]

  1. Information Asset - An information asset is stored information that is considered “valuable” by an organization.
  2. Information Asset Owner – The party(ies) responsible for managing an information asset including defining the security requirements that are proportionate to the value of the information asset.

Text [top]

General

Each campus must develop and maintain a data classification standard that meets or exceeds the requirements of the CSU Data Classification Standard. 

Campuses must maintain an inventory of information assets containing level 1 or level 2 data as defined in the CSU Data Classification Standard.  These assets must be categorized and protected throughout their entire life cycle, from origination to destruction.

The designated owner of information assets that store protected data is responsible for:

  1. Classifying the information asset according to the campus Data Classification Standard.
  2. Defining security requirements that are proportionate to the value of the information asset.
  3. Managing the information asset according to the requirements described in the campus Information Asset Management Standard and the CSU Records Retention Schedule.

Critical or protected data must not be transferred to another individual or system without approval of the designated data owner. Before critical or protected data is transferred to a destination system, the data owner should establish agreements to ensure that authorized users implement appropriate security measures.

Exhibit(s) [top]

Assessment History [top]

Description Frequency Role Assigned
Review of business practice. Annual             Information Security Officer         
©