Body
IT ASSET MANAGEMENT SECURITY POLICY
Policy Objective
This policy is to ensure the proper treatment of IT Assets, including hardware and software, at Parkland College.
Scope
All IT Assets at Parkland College and the persons who acquire, use, maintain, manage, or otherwise interact with those assets.
Policy
Section 1 – Acquisition
- IT Assets must only be acquired from vendors which have been evaluated and approved by the organization.
- The IT Asset acquisition process must consider the entire lifecycle of the asset to be acquired and must consider the data storage, utilization, and processing requirements related to the asset.
Section 2 – Inventory
- All IT Assets, including physical devices and software platforms, must be inventoried in detail in a centralized system.
- All relevant information regarding the asset shall be included in the inventory including the classification, criticality, and risk of the asset.
- Every IT Asset must have an assigned asset owner with responsibility for managing the asset throughout its lifecycle.
- Additional details must be recorded and maintained in accordance with any applicable standards associated with this policy.
Section 4 – Prioritization and Classification
- Each IT Asset must be assigned a classification relative to the risk of the asset.
- Each IT Asset must be prioritized and assigned priority must consider both the criticality of the asset as well as the classification of data to be stored, processed, or accessed by the Asset and the value of the Asset to Parkland College.
Section 5 – External Information Systems
- External Information Systems must be documented, inventoried, and prioritized based upon criticality and risk.
- Acquisition of External Information Systems shall be subject to security review prior to the execution of the acquisition.
- Every External Information System must have an assigned owner with responsibility for managing the system during the lifetime of the system’s usage.
Section 5 – Dependency and Change Management
- All Information Systems and IT Assets, both internal and external, must have dependencies and data flows documented and managed.
- System interdependencies must be considered when changes are made.
- Changes made to IT Assets, including systems both internal and external, must follow the Parkland College Change Enablement and Control policies, standards, and processes.
- Provisioned IT systems and services should have a test or other non-production environment to facilitate testing and change validation.
Section 5 – Asset Lifecycle
- The lifecycle of IT Assets shall be managed from acquisition to disposition based on the classification of data they contain and the risk to the organization.
- Every IT Asset shall be actively managed and valid support, wherever possible, shall be maintained throughout the asset’s usable life.
- IT Assets that access, store, process, or otherwise interact with sensitive data shall be securely disposed of when the asset is no longer functionally used.
Section 5 – Asset Security
- Information Systems shall be configured in accordance with the Secure Systems Configuration Standard.
- All IT Assets storing, processing, accessing, or interacting with data classified as “Confidential” or “Private” shall be configured in such a way as to protect the Confidentiality, Integrity, and Availability of that information.