|TITLE: Information Security - Asset Inventory and Classification||ID:|
|ORIGINATOR: Information Security Office||DATE: April 20, 2009|
|REVIEWED: President's Council||DATE: January 26, 2011|
|APPROVED: Raymond S. Greenberg, MD, PhD||DATE: January 26, 2011|
|IMPLEMENTATION: Enterprise-wide||DATE: January 26, 2011|
Please refer to MUSC Information Security Rationale: The Need for Safeguards for an overview of the legal and ethical considerations that have motivated the development of this policy. The following laws and regulations have particular relevance:
MUSC's information assets shall be properly inventoried, and classified in terms of their sensitivity and criticality. Asset types include information, information systems, computers, and electronic storage media.
The Office of the CIO (OCIO) shall maintain enterprise-wide inventories (registries) of assets. The designated owner of each information asset shall maintain accurate information about the asset, in the appropriate OCIO registry.
All information under MUSC's stewardship shall be classified in terms of its sensitivity. This includes: electronic information, information recorded on paper, and information expressed orally or visually (such as by telephone, video conferencing or whiteboard). For classification purposes, MUSC has defined 3 levels of sensitivity: Public, MUSC Restricted, and MUSC Protected.
Workforce members are responsible for understanding the classification level of the information that they handle, the restrictions on their use of that information, and their assigned data protection responsibilities.
Workforce members should access MUSC Restricted or MUSC Protected information only as authorized, and in the case of electronic information, only from authorized computers and locations.
The designated Owner of each MUSC System is responsible providing accurate and timely inventory information to the appropriate OCIO registr(ies).
The System Owner must ensure that the information that is created, received, stored and/or transmitted by the System has been accurately classified. If a System must handle MUSC Protected information, the the System's security controls must meet the minimum baseline data protection standards for MUSC Protected information.
Each User of a System must be aware of the System's requirements for information handling and data protection.
The owner or administrator of each MUSC computer is responsible for providing accurate and timely inventory information to the appropriate OCIO registr(ies). This includes servers, workstations, laptops and other portable computers, and smartphones and other interactive electronic devices.
If a computer must be used to store MUSC Protected information, then the computer's location and its contents must be accurately tracked and documented at all times.
If an electronic storage device or other digital medium must be used to store MUSC Protected information, then the location and the contents of the device or medium must be accurately tracked and documented at all times.
This policy will be maintained and published electronically by the Information Security Office. This policy is a public document and there are no restrictions on its distribution.