In a previous post, I introduced the International Standards Organisation (ISO) standards for information security, ISO27001 and ISO27002 and highlighted the benefits of a best-practise approach to information security.
The standard includes a set of controls related to the protection of “organisational assets.”
The controls set out that all (information) assets should be on an inventory. As part of asset management, the SBM will have an inventory of assets for accounting purposes and this will provide the accounting value of (what are probably) physical assets. However the information security value may differ, and has to be assessed through a risk assessment. What would be the impact if this information were lost or made public? Regulatory and reputational risk must be included in your risk register or plan.
Information assets form a larger group than physical assets such as IT and communications hardware, though you should include these. You should also include all software, and of course all data whether stored online, offline, or in hard copy. Data will at least include all files, plans, documents, financial information, accounting information, and teaching materials. The Network Manager will provide information on how the IT systems are organised, where data is stored and how data is organised and used.
Each asset identified should have a designated owner, and should be subject to an acceptable use policy. It’s important to note that when an asset is assigned to an “owner” in this context, it does not mean the “owner” has property rights. The owner is accountable for the security of the assets which he or she “owns”.
The recommended approach is to assign assets not to named persons but to roles or parts of the organisation. This makes for clearer documentation and avoids information becoming out of date when persons change roles or leave the organisation. The ownership of information assets can then be linked to the documented roles and responsibilities. This has the added benefit of documenting the organisation.
It is not best practise to assign all IT hardware, software, and electronically stored data to the network manager (or equivalent) as owner. It is more effective to assign ownership of data to a departmental head or (senior) manager or member of SLT. This ownership should match with the person’s roles and responsibilities in two ways: firstly ownership should be assigned to the role which uses or is best placed to manage the asset; and secondly to a role with financial authority matching the value (and risk) of the asset.
For each information asset, there should be an approved policy setting out the acceptable use. The “owner” is accountable (and depending on the organisation, may be responsible) for making sure that the rules are fit for purpose, are documented, are reviewed and approved, and that the rules are communicated and are followed. The implementation of the acceptable use policy manages the risks to the information asset.
An example of acceptable use which should already be in place would be a policy that school IT equipment is not used to access inappropriate websites or for any use which might put the organisation at regulatory or reputational risk. The control might be implemented using firewalls or software which prevent and log such access.
In some cases, acceptable use will be determined by external organisations. Use of software, for example, will be subject to licensing arrangements. Examination papers will be have to be controlled and used in a manner satisfactory to the Examination Boards.
Putting into effect “appropriate protection” for assets is a major step towards information security and managing risk. In a subsequent post, I will look at Information Classification, which works together with responsibility for assets.