Asset Management

PURPOSE

The purpose of this SOP is to ensure that all HIC’s assets are identified, recorded and managed in accordance with the ISO27001 standard.

HIC categorises information assets as:  

Infrastructure 
Data 
Service 
End User Computing 
Accounts and Projects

SCOPE

The scope of this SOP extends to all HIC Teams, third parties, vendors and partner agencies who utilise or who are responsible for the development, management, and maintenance of HIC assets. 

RESPONSIBILITIES

ROLE	RESPONSIBILITY
Asset Owner	Accountable for the day-to-day management of assets
Delegated Asset Owner	Responsible for the creation, review and updating of assets
Business Support Team	Responsible for supporting asset management process and communicating to stakeholders

PROCEDURE

Policy

Asset management policy - University of Dundee
Acceptable use policy - University of Dundee
For overall Policy see Legal and Governance Policy

Principles

Information Classification and Handling: All HIC information has a value to the organisation, however not all the information has an equal value or requires the same level of protection. Being able to identify the value of information assets is key to understanding the level of security that they require. HIC maintains an Information Classification and handling scheme which involves grouping information and categorising content to establish the most appropriate way of handling, storing, retrieving and to determine who is authorised to access Information.

Steps

Inventory of Assets : Any assets which are of value to HIC needs to be identified and managed over its lifecycle. HIC are required to show how assets are managed and controlled, based around their importance.   
Ownership of Assets : All assets must have owners. Each owner is responsible for protecting the confidentiality, integrity, and availability of the information. Assets will have delegated staff who are responsible for the effective management of the asset during the asset lifecycle.  Owners will ensure: 
- Assets are inventoried. 
- Assets are correctly classified and protected.
- Access restrictions to the asset and its classification are periodically reviewed. 
- Assets are handled correctly when being deleted or destroyed. 
Acceptable Use of Assets :HIC will refer to the University of Dundee Policy on Acceptable use  
Return of Assets :Upon termination of business relations, all users in possession or have access to information assets need to return them to HIC or have access removed by HIC.

APPLICABLE REFERENCES

University of Dundee Acceptable Use Policy 
University of Dundee Asset Management Policy 
Information Classification 
For Definitions see ISMS Glossary

DOCUMENT CONTROLS

Process Manager	Point of Contact

Process Manager	Point of Contact
Jenny Johnston	hicbusiness-support@dundee.ac.uk

Revision Number	Revision Date	Revision Made	Revision By	Revision Category	Approved By	Effective Date

Revision Number	Revision Date	Revision Made	Revision By	Revision Category	Approved By	Effective Date
1.0	01/01/24	Moved SOP to Confluence from SharePoint and updated into new template	Bruce Miller and Symone Sheane	Superficial	Governance Co-Ordinator: Symone Sheane	10/01/24
1.1	04/04/24	Updated Roles and Responsibilities	Bruce Miller	Superficial	Governance Co-Ordinator: Symone Sheane	5/04/24
1.2	10/04/24	Formatted document control table and added in revision category	Symone Sheane	Superficial	Governance Co-Ordinator: Symone Sheane	10/04/24
1.3	19/04/24	Updated Approved by title	Symone Sheane	Superficial	Governance Co-Ordinator: Symone Sheane	19/04/24
1.4	30/04/24	Updated Header to conform with BSI guidelines	Bruce Miller	Superficial	Governance Co-Ordinator: Symone	30/04/24

Copyright Health Informatics Centre. All rights reserved. May not be reproduced without permission.
All hard copies should be checked against the current electronic version within current versioning system prior to use and destroyed promptly thereafter. All hard copies are considered Uncontrolled documents.