The objectives of AU's policy for asset management are:
Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained. (A.8.1.1)
Assets maintained in the inventory shall be owned. (A.8.1.2)
Unit managers with ownership of critical information assets at Aarhus University must ensure that the assets are included in an updated catalogue with instructions for all security measures implemented.
Unit management must appoint a system owner for critical IT systems assets.
Rules for the acceptable use of information and of assets associated with information and information processing facilities shall be identified, documented and implemented. (A.8.1.3)
The senior management team has included a common set of rules for the acceptable use of assets in its rules for information security.
Universitetsledelsen har defineret et fælles regelsæt for accepteret brug af aktiver i Regler for Informationssikkerhed.
All employees and external party users shall return all of the organizational assets in their possesion upon termination of their employment, contract or agreement. (A.8.1.4)
A number of initiatives have been planned and established centrally in order to comply with the above requirements:
|
Information shall be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification. (A.8.2.1)
An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organization. (A.8.2.2)
Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organization. (A.8.2.3)
At Aarhus University, everyone must classify, label and handle information in accordance with Aarhus University’s information classification system.
A number of initiatives have been planned and established centrally in order to comply with the above requirements:
This means that if you keep your critical, confidential or sensitive information stored in the solutions offered centrally, the above compliance is ensured by Aarhus University. If you have other needs based on your risk assessment, this must be ensured locally. |
Procedures shall be implemented for the management of removable media in accordance with the classification scheme adopted by the organization. (A.8.3.1)
Media shall be disposed of securely when no longer required, using formal procedures. (A.8.3.2)
Media containing information shall be protected against unauthorized access, misuse or corruption during transportation. (A.8.3.3)
Unit management must ensure the above procedures are in place in order to prevent unauthorised disclosure, modification, removal or destruction of information stored on media.
A number of initiatives have been planned and established centrally in order to comply with the above requirements:
This means that if you keep your critical, confidential or sensitive information stored in the solutions offered centrally, the above compliance is ensured by Aarhus University. If you have other needs based on your risk assessment, this must be ensured locally. |
QUESTION GUIDE
Consider the question guide as a tool to navigate the requirements of the policy:
An asset is something of value to the university, such as property, machinery, warehouses, cars, fixtures, computers, servers, devices, IT systems, goodwill, patents, etc.
In connection with information security, 'assets' are defined broadly as e.g. IT systems, domains, audio and video recordings, tissue samples and paper documents containing information that needs to be protected in accordance with a risk assessment.
Critical assets include, as a minimum, IT systems (e.g. with system classification A) and other assets that can cause an unacceptable risk of accidental publication, compromise or loss at different units.