Each information asset is to have an information owner. The information owner is responsible for the confidentiality, availability and accuracy of the information asset. The information owner can be a head of research, a head of department or head of an area.
Login
to see more information on this page.
Every information asset is to be managed with proper protection, whether it is managed in the framework of research, studies or the central university administration. This means that you, as an information owner, are required to ensure that the information for which you are responsible is documented and processed properly. Familiarise yourself with your information to find the right level of protection.
What is an information asset?
Information assets are anything that contains information, such as data in information processing systems, software and physical assets and in hardware, services, people and intangible assets.
When a new project starts
Starting a project involves collecting information, choosing the right storage location and identifying security measures to protect your information.
At the start of each new project, as an information owner you should:
- Conduct an Information classification to describe the information you will be processing and what levels of protection are required. The information classification is a good basis on which to choose and procure IT services and develop security procedures. The page Information classification also provides a customised template for research projects with predefined classification values.
- Choosing a storage location based on protection needs
- Conduct a Risk and Vulnerability Analysis that describes the vulnerabilities, threats and risks that exist when processing information, such as electronic or physical management. A risk analysis always needs to be performed to assess if a new IT service can begin to be used.
Identify the right level of protection
Protection should be adapted to the nature of the information, so that it does not become too complicated or expensive. The aim is to have the right protection in place rather than always having the highest possible level of security. For example, if the information is not confidential, expensive solutions or complicated procedures to protect the information from leaks are unnecessary. When working with information security, here are three aspects to consider:
- Confidentiality — that only authorised users have access to the information
- Accuracy — that information is accurate and uncorrupted
- Availability — that information is available when we need it
As the information owner, you are to assess the relevant information on the basis of these three aspects and to adjust protection accordingly.
For example, the University's evacuation plans contain information that requires a high degree of availability and accuracy, but that is not confidential at all.
When do we need to conduct an information classification?
The classification of information should be the basis for the selection of appropriate safeguards in these situations:
- Prior to personal data processing.
- Assessment of how research materials or data are to be handled and thus protected.
- Current situation assessment or risk analysis of an information system.
- Procurement, new development of or changes to IT systems or infrastructure, such as data storage services.
- Establishing the security design of an information system.
- Changes in legal requirements.
- New information in the organisation.
- Approval of rules for processing information, such as requirements for encryption of emails and rules for communication by mobile phone.