MUSC Policy: Information Security - Asset Inventory and Classification

 TITLE: Information Security - Asset Inventory and Classification  ID:
 ORIGINATOR: Information Security Office  DATE: April 20, 2009
 REVIEWED: President's Council  DATE: January 26, 2011
 APPROVED: Raymond S. Greenberg, MD, PhD  DATE: January 26, 2011
 IMPLEMENTATION: Enterprise-wide  DATE: January 26, 2011

1. RATIONALE

Please refer to MUSC Information Security Rationale: The Need for Safeguards for an overview of the legal and ethical considerations that have motivated the development of this policy. The following laws and regulations have particular relevance:

HIPAA Security: 164.306(a) General requirements
HIPAA Security: 164.308(a)(ii)(A) Risk analysis
HIPAA Security: 164.308(a)(ii)(B) Risk management
HIPAA Security: 164.308(a)(7)(i) Standard: Contingency plan
HIPAA Security: 164.308(a)(7)(ii)(E) Applications and data criticality analysis

2. POLICY

MUSC's information assets shall be properly inventoried, and classified in terms of their sensitivity and criticality. Asset types include information, information systems, computers, and electronic storage media.

The Office of the CIO (OCIO) shall maintain enterprise-wide inventories (registries) of assets. The designated owner of each information asset shall maintain accurate information about the asset, in the appropriate OCIO registry.

All information under MUSC's stewardship shall be classified in terms of its sensitivity. This includes: electronic information, information recorded on paper, and information expressed orally or visually (such as by telephone, video conferencing or whiteboard). For classification purposes, MUSC has defined 3 levels of sensitivity: Public, MUSC Restricted, and MUSC Protected.

3. PROCEDURES

3.1. Definitions

Refer to MUSC Policy: Information Security: Appendix A.

3.2. Asset Types

3.2.1 Information

Workforce members are responsible for understanding the classification level of the information that they handle, the restrictions on their use of that information, and their assigned data protection responsibilities.

Workforce members should access MUSC Restricted or MUSC Protected information only as authorized, and in the case of electronic information, only from authorized computers and locations.

3.2.2 Information Systems

The designated Owner of each MUSC System is responsible providing accurate and timely inventory information to the appropriate OCIO registr(ies).

The System Owner must ensure that the information that is created, received, stored and/or transmitted by the System has been accurately classified. If a System must handle MUSC Protected information, the the System's security controls must meet the minimum baseline data protection standards for MUSC Protected information.

Each User of a System must be aware of the System's requirements for information handling and data protection.

3.2.3 Computers

The owner or administrator of each MUSC computer is responsible for providing accurate and timely inventory information to the appropriate OCIO registr(ies). This includes servers, workstations, laptops and other portable computers, and smartphones and other interactive electronic devices.

If a computer must be used to store MUSC Protected information, then the computer's location and its contents must be accurately tracked and documented at all times.

3.2.4 Electronic Storage Devices and Media

If an electronic storage device or other digital medium must be used to store MUSC Protected information, then the location and the contents of the device or medium must be accurately tracked and documented at all times.

3.2. Sanctions

Refer to MUSC Policy: Information Security: Sanctions.

3.3. See Also

MUSC Policy: Information Security
MUSC Policy: Information Security - Data Protection
MUSC Policy: Information Security - Risk Management
MUSC Policy: Information Security - Workforce Security

4. ACCESS

This policy will be maintained and published electronically by the Information Security Office. This policy is a public document and there are no restrictions on its distribution.