Asset Management
- Symone Sheane
PURPOSE
The purpose of this SOP is to ensure that all HIC’s assets are identified, recorded and managed in accordance with the ISO27001 standard.
HIC categorises information assets as:
Staff
Infrastructure
Data
Service
End User Computing
Accounts and Projects
SCOPE
The scope of this SOP extends to all HIC Teams, third parties, vendors and partner agencies who utilise or who are responsible for the development, management, and maintenance of HIC assets.
RESPONSIBILITIES
ROLE | RESPONSIBILITY |
Asset Owner |
|
Delegated Asset Owner |
|
Business Support Team |
|
PRINCIPLES
Information Classification and Handling: All HIC information has a value to the organisation, however not all the information has an equal value or requires the same level of protection. Being able to identify the value of information assets is key to understanding the level of security that they require. HIC maintains an Information Classification Register and handling scheme which involves grouping information and categorising content to establish the most appropriate way of handling, storing, retrieving and to determine who is authorised to access Information. See appendices for HIC Information Classification Register.
PROCEDURE
1. Inventory of Assets
An asset register is maintained within the project management system.
Any assets which are of value to HIC is identified and managed over its lifecycle within this register.
Asset object fields are populated, dependant on relevance to the asset, noting mandatory fields where appropriate.
Asset register is reviewed annually and upon significant changes.
2. Asset Ownership
All assets must have owners.
Each owner is responsible for protecting the confidentiality, integrity, and availability of the information.
Assets will have delegated staff who are responsible for the effective management of the asset during the asset lifecycle.
Owners will ensure:
Assets are inventoried.
Assets are correctly classified and protected.
Assets and asset access is reviewed periodically.
Assets are handled correctly when being deleted or destroyed.
3. Asset Use
All users must follow the University of Dundee Policy on acceptable use.
Use of asset must be authorised.
Information will be classified according to the sensitivity and importance to HIC according to the HIC Data Classification.
4. Asset Return and Disposal
Upon termination of business relations, all users in possession or have access to information assets need to return them to HIC or have access removed by HIC.
Disposal of assets must ensure a disposal record, where applicable, and a secure method was used.
APPENDICES
Appendix A: HIC Information Classification Register
Open | Private | Confidential |
Can be seen by anyone | Restricted UoD internally or with collaborators | Restricted to authorised HIC staff |
Very little risk of harm to persons, HIC, UoD or other organisations | Some risk of harm to persons, or financial/reputational impact to the University or other organisations from inappropriate disclosure | Significant risk of damage or distress to individuals, negative financial or reputational impact on HIC or UoD |
No requirement to label | May be labelled private | Should be labelled confidential |
Can be circulated freely | Not to be used on or sent to non-University systems or in public places where it can be viewed by others | Follow HIC SOPs |
Applied to HIC Data | ||
Policies, SOPs | Procedures, Work Instructions, Service Descriptions | Identifiable personal data |
Aggregate data ≥ 5 | HIC staff holidays | Staff personal and salary data |
Meta-data eg look-up tables | Non-personal research data |
|
Staff names and work contact details | Anonymised personal data |
|
Researcher profiles and publications | Aggregate data <5 |
|
| HIC finance details |
|
| Commercial & research contracts |
|
| Software code |
|
| JIRA system content |
|
APPLICABLE REFERENCES
Information Classification
For Definitions see ISMS Glossary
Asset management policy - University of Dundee
Acceptable use policy - University of Dundee
Information Security Policy
DOCUMENT CONTROLS
Process Manager | Point of Contact |
|---|---|
Jill Hampton |
Revision Number | Revision Date | Revision Made | Revision By | Revision Category | Approved By | Effective Date |
|---|---|---|---|---|---|---|
1.0 | 01/01/24 |
| Bruce Miller and Symone Sheane | Superficial | Governance & Project Co-Ordinator: Symone Sheane | 10/01/24 |
1.1 | 04/04/24 |
| Bruce Miller | Superficial | Governance Co-Ordinator: Symone Sheane | 5/04/24 |
1.2 | 10/04/24 |
| Symone Sheane | Superficial | Governance Co-Ordinator: Symone Sheane | 10/04/24 |
1.3 | 19/04/24 |
| Symone Sheane | Superficial | Governance Co-Ordinator: Symone Sheane | 19/04/24 |
1.4 | 30/04/24 |
| Bruce Miller | Superficial | Governance Co-Ordinator: Symone | 30/04/24 |
1.5 | 02/05/24 |
| Bruce Miller | Superficial | Governance Co-Ordinator: Symone Sheane | 02/05/24 |
1.6 | 09/10/24 |
| Bruce Miller | Superficial | Governance & Project Co-Ordinator: Symone Sheane | 18/11/24 |
1.7 | 17/10/24 |
| Jill Hampton | Superficial | Governance & Project Co-Ordinator: Symone Sheane | 18/11/24 |
1.8 | 18/11/24 |
| Symone Sheane | Superficial | Governance & Project Co-Ordinator: Symone Sheane | 18/11/24 |
1.9 | 23/01/25 |
| Symone Sheane | Superficial | Process Manager: Jill Hampton | 24/01/25 |
1.10 | 26/05/25 |
| Symone Sheane | Superficial | Process Manager: Jill Hampton | 26/05/25 |
Copyright Health Informatics Centre. All rights reserved. May not be reproduced without permission.
All hard copies should be checked against the current electronic version within current versioning system prior to use and destroyed promptly thereafter. All hard copies are considered Uncontrolled documents.