Winston-Salem State University (WSSU) must maintain a documented inventory of institutionally-owned physical assets associated with information processing. Information and information resources must also be identified, classified, documented and have documented owners. Procedures must be developed to ensure the security of information resources assets against unauthorized or accidental modification, destruction, or disclosure. These controls are to ensure the confidentiality, integrity, and availability of information and other assigned information resources.
- Responsibility for assets
- All information resource assets listed in the asset inventory should have an assigned owner, department, or unit who will ensure the assets are protected in a manner consistent with their value, sensitivity, and criticality to the business and operation of the campus.
- Rules for the acceptable use of information and assets associated with information and information processing facilities should be implemented and communicated to the employees and contractors who have access to those assets.
- All employees and contractors must return all WSSU assets in their possession upon termination of their employment or contract.
- All hardware assets will be named in accordance with the WSSU Office of Information Technology approved standardized naming convention.
- Information classification
To ensure the data used and managed by WSSU receives an appropriate level of protection commensurate with the value, importance, and criticality of the data, all information must be classified.
The following information classification system shall be used to categorize data for risk assessments, making risk management decisions, establishing controls, and for protecting information:
- Confidential - includes confidential information that must be protected from unauthorized disclosure or public release based on state or federal law, legal agreements, or information that requires a high degree of confidentiality, integrity, or availability.
- Controlled - includes information that is proprietary to the institution or has moderate requirements for confidentiality, integrity, or availability.
- Public - includes information with low requirements for confidentiality, integrity, or availability and information intended for public release as described in the North Carolina Public Records Statute.
- Media Handling
The institution of higher education head, or their designated representative(s), shall review and approve information ownership and associated responsibilities to include personnel, equipment, or information technology hardware and software.
Controls must be implemented to provide physical, technical and procedural safeguards for information resources by the custodians of information resources that include external parties providing outsourced information resources services.