Assets Policy
General Terms:
· Cybersecurity requirements for managing King Saud University’s information and technology assets must be identified, documented, and approved.
· Cybersecurity requirements for managing King Saud University’s information and technology assets must be implemented.
· The acceptable use policy for King Saud University’s information and technology assets must be defined, documented, approved, and published.
· The acceptable use policy for King Saud University’s information and technology assets must be applied.
· Information and technology assets must be classified and labeled (Labeling) and managed according to relevant legislative and regulatory requirements.
· Cybersecurity requirements for managing King Saud University’s information and technology assets must be reviewed annually.
Asset Inventory:
· King Saud University must establish a process and procedures for recording maintenance and updating the inventory of all information assets owned and managed by its departments and affiliated companies. This inventory can be classified, including but not limited to:
· Information assets, document assets, code and database assets, software assets, physical assets, service assets, and personnel assets.
· The asset inventory must include, but not be limited to:
· Asset identification, asset description, asset location, asset classification, asset value, asset labeling, asset owner, and asset coding.
Asset Classification:
· An asset classification level must be assigned to all assets maintained, stored, or produced by King Saud University.
· All users in King Saud University departments must comply with the specified information classification system.
· The classification of each asset must be reviewed annually based on its sensitivity.
· King Saud University classifies assets based on sensitivity, importance, confidentiality, privacy requirements, and asset value.
All assets of King Saud University are classified according to the following classification scheme:
- Top Secret
- Confidential
- Internal (Restricted)
- Public
Asset Ownership:
· King Saud University must designate an owner for each asset (from each department) responsible for assigning classifications, protecting, managing, and handling information assets based on asset management policy.
· For each information asset, the following must be defined:
Owners:
· Department heads responsible for information assets related to their functional authority and are responsible for the following:
· Identifying information assets.
· Classifying information assets.
· Ensuring proper labeling whenever possible for sensitive information.
· Reviewing the classification of information assets.
· Communicating security controls and protection requirements to custodians and users.
Custodians:
· Directors, administrators, service providers, and those appointed by the asset owner to manage, process, or store information assets. Custodians are responsible for the following:
· Protecting King Saud University’s information to ensure its confidentiality, integrity, and availability.
· Implementing information security policies and best practices.
· Identifying and documenting authorized access to information.
· Providing backup and information recovery.
· Detecting and responding to security breaches, security violations, and vulnerabilities.
· Monitoring compliance with information security policies and best practices.
· Reporting any suspected or actual security breaches, security violations, and compromised information incidents to the information owner.
Users:
· Individuals, groups, or organizations authorized by the owner to access information assets. Users are responsible for the following:
· Understanding information asset classifications and complying with security controls set by the owner and applied by custodians.
· Maintaining the classification and labeling set by the owner and custodians.
· Contacting the owner when information is not labeled or the classification is unknown.
· Using information only for authorized King Saud University purposes.
· Reporting any suspected or actual security breaches, security violations, and compromised information incidents to the custodian or owner.
Labeling and Handling of Assets:
· All assets containing classified information must be stored according to King Saud University’s security policies, including:
- Storing in locked drawers or cabinets.
- Keeping any office where assets are stored locked when not in use.
- Not leaving storage keys in the office when the authorized person is absent.
- King Saud University must define and implement procedures for handling and storing assets to protect such information from unauthorized disclosure or misuse.
- Documents, hardware, and removable media labels must include appropriate security classifications.
- Media containing classified information must be logically and physically protected using all available security controls to ensure the confidentiality and integrity of information and information systems.
- Classified media must not be handed over to any external entity or third party unless authorized in writing by the administration with appropriate justification.
- Information assets must be maintained, processed, stored, transmitted (or transferred over the network), and disposed of according to King Saud University’s Asset Management procedures associated with the classification label of the information asset.
Asset Return:
· The Human Resources Department, in cooperation with relevant departments, must ensure that all information assets held by users are returned when their employment or contract ends. This may include, but is not limited to:
· A formal process for returning King Saud University’s information assets (e.g., inventory checklists).
· A formal process for returning or destroying King Saud University’s information of any kind.
· When personal devices are used for King Saud University business.
Managing Information and Media:
· Cybersecurity requirements must be considered when managing portable information and related technology media.
· All media must be stored in a secure and safe environment, and in accordance with the manufacturer’s specifications and applicable information security policies and procedures at King Saud University.
· The retention period for all sensitive and critical information assets must be documented.
· All media must be disposed of according to the Information Asset Management procedures, retention period, or the end of media usage. Once the media is disposed of, it must be documented and the asset owner must be notified.
· All media that has been disposed of must be recorded in an updated media disposal log to maintain an audit trail.
· All sensitive information, whether in printed documents or stored electronically, that is no longer needed must be securely disposed of using approved equipment and procedures to ensure that the information cannot be recovered. Disposal must be conducted using one of the following methods for all such media, including but not limited to:
- Degaussing
- Shredding
- Pulping/Recycling
- Incineration
· A record of sensitive information disposed of must be retained for at least 5 years according to King Saud University’s regulatory requirements. The record must, at a minimum, include:
- Disposal of information.
- Name of the person disposing of the information.
- Name of the information asset owner.
- Method of disposal.
· Information must be handled, processed, stored, and transmitted according to appropriate procedures based on its classification to protect the information from unauthorized disclosure or misuse.
· Formal policies, procedures, and standards must be developed and maintained to protect the physical transport of media outside of King Saud University buildings from unauthorized access, misuse, or corruption.