DPC/G 4.7Government guideline on cyber security

ISMF Guideline 7Asset Management

BACKGROUND

Government agencies depend on information in a variety of formats, to provide services to the community and business sector. To meet expectations in terms of service delivery, security and

availability, agencies must treat Official Information1 as an asset that needs to be maintained, just as it manages its physical assets such as equipment.

Fundamental to this process is developing an understanding of what information the business needs, how it is used, and its importance. The last point will involve an analysis of the availability, integrity and confidentiality of the information.

A key aspect of managing of any asset is the identification of a Business Owner particularly in the context of information assets. This will promote the notion of accountability for the implementation and maintenance of controls and protection mechanisms for the identified assets. While the day to day activities may be delegated to other officers, the responsibility will remain with the designated Business Owner. This guideline supports implementation of ISMF Policy Statement 7.

TERMS

Asset management, broadly defined, refers to any system that monitors and maintains things of value to an entity or group. In this particular context, it refers to the management of any information that is held or used by an organisation, and the systems and facilities that support that information. It is a systematic process of operating, maintaining, upgrading, and disposing of these assets.

The Business Owner is the person or group that is ultimately responsible for an information asset. This person or group is distinct from an information custodian, who may take responsibility for the ongoing management of the information (such as a CIO or system administrator). Individual business units own business critical information, rather than information technology or information security departments (they are custodians, not owners). The manager of the business unit responsible for the creation of any information and / or the business unit directly impacted by the loss of the information is usually the Business Owner. (e.g. the party most impacted by the loss of confidentiality, integrity or availability of Information is typically the Business Owner). The term Business Owner is synonymous with the expression Risk Owner used by the ISO 27001 standard.

An Information Asset is anything that processes, stores or communicates information of value to the Agency or organisation. Information assets in the South Australian Government are commonly referenced as holistic systems, for example: TRUMPS, LOTS, EMS, Masterpiece etc. This definition is distinct from the definition used by the ISO 27000 series standards as the ISMF relates specifically to cyber security.

GUIDANCE

This guideline has been developed to provide clarification on the steps involved in creating and maintaining an information asset inventory, and the roles and responsibilities within South Australian Government agencies in regards these activities.

1. IDENTIFY ASSETS (ASSET INVENTORY)

Agencies must compile and maintain a registry of their information assets

Each asset must be clearly identified as to its nature, location, security classification and Business Owner

1 A term defined in the ISMF as “any information developed, received or collected by, or on behalf of, the Government, through its agencies and contracted providers”.

Government guideline on cyber securityAsset Management v1.1

Page 2 of 5

ISMF Guideline 7

The systems associated with the information assets must also be identified and recorded in the inventory against the information asset(s)

The inventory should also include any documentation relating to the information (such as rules for its use, related procedures)

The inventory must be reviewed and updated annually

The asset inventory (and any review) must be signed off by the Chief Executive, in consultation with other agency staff such as the Agency Security Executive

Responsibility for maintaining and updating the inventory can be delegated, but the responsibility for the assets remains with the Business Owner.

2. ASSIGN AN OWNER (ASSET OWNERSHIP)

All information assets must have a designated Business Owner, who is typically the person most impacted by the loss of or damage to the asset, or the systems that support it.

Whilst operational control of the asset may be given to another person (e.g. a system administrator), the responsibility for the asset always remains with the Business Owner.

3. ASSIGN A BUSINESS INFORMATION VALUE (CLASSIFICATION)

The classification that is assigned to an Information Asset should take into account the requirements of Confidentiality, Integrity and Availability. Further guidance on classification is provided in ISMF Guidelines 8a and 8b.

4. AGENCY (OR STATE GOVERNMENT) CRITICAL INFRASTRUCTURE

If, during the process of assigning a classification to an Information Asset, it is determined that the asset is part of a critical or essential service, then ISMF Ruling 1 will apply. Further information is available in ISMF Guideline 37a.

Government guideline on cyber securityAsset Management v1.1

Page 3 of 5

ISMF Guideline 7

ADDITIONAL CONSIDERATIONS

The management of information assets must be supported by the development and maintenance of procedures and practices coupled with metrics and/or performance measurements. These should consider factors such as: risk, cost, control, IT governance, compliance and business performance objectives as established by the business.

The process may also identify any 'silos' of information whereby use of the information may be unintentionally restricted to a subset within the organisation, yet the same information has wider uses within an agency, or could be applied to the benefit of the broader organisation. By identifying and publicising ‘like groupings’ of information held within the organisation, it may be more optimally used, and the business will benefit by being able to provide new services, or by having a broader base of users who can keep the information current. This in turn may lead to the identification of additional information that can be made available to the public. This supports the notion of responsible information sharing.

Identifying the information assets of the organisation may also lead to an improved understanding of the information needs of the business. This includes identification of what information is captured, created or used, who uses it, how effectively it meets the needs of the business and the users, how long it is useful for, and who is responsible for ensuring the information assets remain fit for purpose.

This guideline does not aim to provide the reader with all of the responsibilities and obligations associated with the management of information assets. It is merely an overview of the information provided in applicable government cyber security policy, applicable governance frameworks and the resources and utilities available at the time of publication. It is highly recommended that agencies review these documents in their entirety. The individual requirements of agencies will have direct bearing on what measures are implemented to mitigate identified risk(s).

Government guideline on cyber securityAsset Management v1.1

Page 4 of 5

ISMF Guideline 7

ISMF Guideline 7

REFERENCES, LINKS & ADDITIONAL INFORMATION

PC030 Government of South Australia Protective Security Management Framework [PSMF]

DPC/F4.1 Government of South Australia Information Security Management Framework [ISMF]

ISO/IEC 27002:2013 standard – control 8.1.1

Document Control

ID DPC/G 4.7Version 1.1Classification/DLM PUBLIC-I2-A1Compliance DiscretionaryOriginal authorisation data February 2014Last approval date September 2017Next review date September 2018

Licence

With the exception of the Government of South Australia brand, logos and any images, this work is licensed under a Creative Commons Attribution (CC BY) 4.0 Licence . To attribute this material, cite the Department of the Premier and Cabinet, Government of South Australia, 2017.