Policy for asset management (A.8)

On this page you will find the current asset management policy to ensure adequate protection of AU's assets and information in accordance with the university's data classification.


Objective

The objectives of AU's policy for asset management are:

  • to identify organizational assets and define appropriate protection responsibilities
  • to ensure that information receives an appropriate level of protection in accordance with its importance to the organization
  • to prevent unauthorized disclosure, modification, removal or destruction of information stored on media 

Responsibility for assets (A.8.1)

Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained. (A.8.1.1)

Assets maintained in the inventory shall be owned. (A.8.1.2)

Unit managers with ownership of critical information assets at Aarhus University must ensure that the assets are included in an updated catalogue with instructions for all security measures implemented.
Unit management must appoint a system owner for critical IT systems assets.

Rules for the acceptable use of information and of assets associated with information and information processing facilities shall be identified, documented and implemented. (A.8.1.3)

The senior management team has included a common set of rules for the acceptable use of assets in its rules for information security.

Universitetsledelsen har defineret et fælles regelsæt for accepteret brug af aktiver i Regler for Informationssikkerhed.

All employees and external party users shall return all of the organizational assets in their possesion upon termination of their employment, contract or agreement. (A.8.1.4)

A number of initiatives have been planned and established centrally in order to comply with the above requirements:

  • Re. A.8.1.1 List of assets:
    • AU IT maintains a list of assets such as IT equipment/devices offered by AU IT. Where relevant, such equipment/devices will have been labelled with an AU theft sticker (identification number which can be traced to the serial number of the equipment/device). Other information assets must be labelled and registered in some other way.
  • Re. A.8.1.3 Acceptable use of assets:
  • Re. A.8.1.4 Return of assets: 
    • The severance rules stipulated by AU HR apply for employees. With regard to issuing assets to other persons locally, the responsible unit manager must ensure that the relevant organisational assets are returned upon termination of the cooperation or contract.

Information classification (A.8.2)

Information shall be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification. (A.8.2.1)

An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organization. (A.8.2.2)

Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organization. (A.8.2.3)

At Aarhus University, everyone must classify, label and handle information in accordance with Aarhus University’s information classification system.

A number of initiatives have been planned and established centrally in order to comply with the above requirements:

  • Re. A.8.2.1-A.8.2.3 Classification, marking and handling of information: 
    • As a rule, classification, marking and handling must be in accordance with Aarhus University's joint information classification system. Further procedures need to be identified locally further to risk assessment.

This means that if you keep your critical, confidential or sensitive information stored in the solutions offered centrally, the above compliance is ensured by Aarhus University.  

If you have other needs based on your risk assessment, this must be ensured locally.

Media handling (A.8.3)

Procedures shall be implemented for the management of removable media in accordance with the classification scheme adopted by the organization. (A.8.3.1)

Media shall be disposed of securely when no longer required, using formal procedures. (A.8.3.2)

Media containing information shall be protected against unauthorized access, misuse or corruption during transportation. (A.8.3.3)

Unit management must ensure the above procedures are in place in order to prevent unauthorised disclosure, modification, removal or destruction of information stored on media.

A number of initiatives have been planned and established centrally in order to comply with the above requirements:

  • Re A.8.3.1-A.8.3.2 Management and disposal of media:
    • As a rule, management and disposal of media must be in accordance with Aarhus University's joint information classification system and procedures. Further procedures need to be identified locally further to risk assessment.
  • Re. A.8.3.3 Physical media during transport:
    • See the guidelines for remote working (under preparation).

This means that if you keep your critical, confidential or sensitive information stored in the solutions offered centrally, the above compliance is ensured by Aarhus University.  

If you have other needs based on your risk assessment, this must be ensured locally.

QUESTION GUIDE

Consider the question guide as a tool to navigate the requirements of the policy:

  • What assets is the unit responsible for? (overview)
  • Does the management team have a comprehensive record of the important assets for which it is responsible? (documented overview)
  • Which unit assets are the most critical? (in order of priority)
  • Who is the respective owner of each asset? (Ownership must be documented, and owners must be aware of their role and responsibilities)
  • What if the data classification of the unit's information and assets? (determines criticality and degree of protection)
  • What are the rules for correctly handling assets? How is it ensured that the requirements for handling data and assets are disseminated and complied with?
  • How is it ensured that assets are returned upon termination of a relationship with AU?
  • How is it ensured and documented that risk assessments of the unit's key assets are carried out and updated?
  • How is it ensured and documented that inadequate security measures are followed up on? (based on risk assessments)
  • How are procedures for handling and disposing of portable media in accordance with data classification ensured and documented?

An asset is something of value to the university, such as property, machinery, warehouses, cars, fixtures, computers, servers, devices, IT systems, goodwill, patents, etc. 

In connection with information security, 'assets' are defined broadly as e.g. IT systems, domains, audio and video recordings, tissue samples and paper documents containing information that needs to be protected in accordance with a risk assessment.


Critical assets include, as a minimum, IT systems (e.g. with system classification A) and other assets that can cause an unacceptable risk of accidental publication, compromise or loss at different units.