Assets Policy
Policy Clauses:
General Requirements:
· Cybersecurity requirements for managing King Saud University’s information and technology assets must be defined, documented, and approved.
· Cybersecurity requirements for managing King Saud University’s information and technology assets must be implemented.
· An Acceptable Use Policy (AUP) for King Saud University’s information and technology assets must be defined, documented, and published.
· The Acceptable Use Policy for King Saud University’s information and technology assets must be enforced.
· The University’s information and technology assets must be classified, labeled, and handled in accordance with applicable legislative and regulatory requirements.
· Cybersecurity requirements for managing King Saud University’s information and technology assets must be reviewed annually.
Asset Stocktaking:
King Saud University must establish processes and procedures to record, maintain, and update the inventory of all information assets owned and managed by its departments and affiliated entities. This inventory may include, but is not limited to:
· Information assets, Document assets, Code and database assets, Software assets, Physical assets, Service assets, Personnel assets.
The asset stocktaking must include, at a minimum:
· Asset identification, Asset description, Asset location, Asset classification, Asset value, Asset labeling, Asset owner, Asset coding.
Assets Classification:
· All assets maintained, stored, or produced by King Saud University must be assigned a classification level.
· All users of King Saud University departments must comply with the specified information classification system.
· Each asset’s classification must be reviewed annually based on its sensitivity.
· King Saud University determines asset classifications based on sensitivity, importance, confidentiality, privacy requirements, and asset value.
All King Saud University assets must be classified according to the following classification scheme:
· Top Secret
· Secret
· Internal (Restricted)
· Public
· Asset Ownership:
King Saud University shall designate an asset owner (from each department) responsible for assigning classifications, protecting, managing, and handling information assets in accordance with the Asset Management Policy.
For each information asset, the following roles must be defined:
Owners:
Managers of organizational units with primary responsibility for information assets within their functional authority, responsible for:
· Identifying information assets.
· Classifying information assets.
· Ensuring appropriate labeling, wherever possible, for sensitive information.
· Reviewing information asset classification.
· Communicating security controls and protection requirements to custodians and users.
Custodians:
Managers, administrators, service providers, and those appointed by the asset owner to manage, process, or store information assets. Custodians are responsible for:
· Protecting King Saud University information to ensure its confidentiality, integrity, and availability.
· Applying information security policies and best practices.
· Identifying and documenting authorized access requirements.
· Providing backup and recovery of information.
· Detecting and responding to security breaches, security violations, and vulnerabilities.
· Monitoring compliance with information security policies and best practices.
· Reporting any suspected or actual security breaches, compromised information, or incidents to the asset owner.
Users:
Individuals, groups, or organizations authorized by the asset owner to access information assets. Users are responsible for:
· Understanding asset classifications and adhering to security controls defined by the owner and applied by custodians.
· Maintaining asset classification and labels assigned by owners.
· Contacting the owner when information is unlabeled or classification is unknown.
· Using the information only for approved King Saud University purposes.
· Reporting any suspected or actual security breaches, compromised information, or incidents to the custodian or owner.
Asset Labeling and Handling:
For all assets containing information classified as Confidential, King Saud University shall comply with the following:
·
· Storing them in locked drawers or cabinets.
· Keeping offices storing such assets locked when unoccupied.
· Not leaving storage keys in the office when the authorized person is absent.
The University defines and establishes procedures for handling and storing assets to protect them from unauthorized disclosure or misuse.
Asset and information management policies and procedures must include physical protection requirements for removable media.
Media containing information classified as Confidential must be protected both logically and physically through all available and applicable security controls to ensure the confidentiality of information and information systems.
Media containing information classified as Confidential must not be provided to any external entity or third party unless formally authorized in writing by management with appropriate justification.
Information assets must be maintained, processed, stored, transmitted physically (or over the network), and destroyed in accordance with the University’s Asset Management procedures relevant to their classification label.
Asset Recovery:
The Human Resources Department, in cooperation with the relevant departments, shall ensure that all information users return all King Saud University assets in their possession upon termination of their employment, contract, or agreement. This may include, but is not limited to:
· A formal check-in process (e.g., audit checklists against inventory) for King Saud University’s information assets.
· A formal process for returning or disposing of any type of King Saud University information.
· When personal devices are used for work purposes related to King Saud University.
Information and Media Handling Management:
· Cybersecurity requirements must be considered in the management of portable technology media and related technology media.
· All media must be stored in a secure environment in accordance with manufacturer specifications and applicable King Saud University information security policies and procedures.
· The retention period for all sensitive and critical information assets must be documented.
· All media must be disposed of according to information asset management procedures, retention periods, or end-of-use conditions. Upon disposal, it must be documented, and the asset owner must be informed.
· All disposed media must be recorded in a designated media disposal log to maintain an audit trail.
· Sensitive information, whether in printed form or stored electronically, that is no longer required must be securely destroyed using approved equipment and procedures to ensure the information cannot be recovered. Disposal methods include, but are not limited to:
· Shredding
· Pulping/Recycling
· Incineration
· Degaussing
Hard drive formatting and zero-filling must be used for all media intended for reuse.
Records of disposed sensitive information must be retained for at least five years in accordance with King Saud university regulatory requirements and must include, at a minimum:
· Information disposed of
· Name of the person performing the disposal
· Name of the asset owner
· Disposal method used
-Appropriate procedures must be defined for handling, processing, storing, and transmitting information based on its classification to protect it from unauthorized disclosure or misuse.
-Formal policies, procedures, and standards must be established and maintained to protect the physical transfer of media outside King Saud University premises from unauthorized access, misuse, or corruption.
-Where possible, encryption technologies must be used to protect confidentiality, integrity, and authenticity of sensitive information during the physical transfer of media.
