Policy Title

The Asset Management policy defines the basis for developing an inventory of information system assets for Winthrop University.

This policy applied to all Winthrop University information systems users and assets.

Authentication: The process of establishing confidence in user identities through a well specified message exchange process that verifies possession of a password, token to remotely authenticate a claimant.

Brute force attacks: A method of accessing an obstructed device through attempting multiple combinations of numeric/alphanumeric passwords.

Data: A subset of information in an electronic format that allows it to be received or transmitted.

Data (Classification Types):

1.   Public: Information intended or required for sharing publicly. Examples of public information include information provided on a University website, and reports meant for public distribution. Unauthorized disclosure, alteration or destruction of Public data would result in minimum to no risk to the University.

2.   Internal Use: Information that is used in daily operations of Winthrop University. Examples of internal use information include the Winthrop University organizational chart, internal procedures, and internal communications. Unauthorized disclosure, alteration or destruction of Internal Use data would result in little risk to the University.

3.   Confidential: Confidential information refers to sensitive information in custody of Winthrop University. Examples of confidential information include credit card information (PCI-DSS compliance standards), draft documents, and legal matters. Unauthorized disclosure, alteration or destruction of confidential data would result in considerable risk to the University.

4.   Restricted: Restricted information is highly sensitive information in custody or owned by Winthrop University and/or data which is protected by Federal or State laws and regulations. Examples of restricted information may include, but are not limited to, student records covered by the Family Educational Rights and Privacy Act (FERPA), Federal Tax Information (FTI) and health information protected by the Health Insurance Portability and Accountability Act (HIPAA). Unauthorized disclosure, alteration or destruction of Restricted data shall result in considerable risk to the University including statutory penalties.

Data (Transmission Types):

1.   Data at rest: All data in storage, regardless of the storage device, that is not in motion. This excludes information traversing a network or temporarily residing in non-volatile computer memory. Data at rest primarily resides in files on a file system. However, data at rest is not limited to file data. Databases, for example, are often backed by data files, and their contents can be thought of as rows and columns of data elements instead of as individual files. Agency should consider all aspects of storage when designing an encryption solution.

2.   Data in transit: All data not in storage, regardless of the storage device, that is in motion. This includes traversing a network or temporarily residing in non-volatile computer memory. Data in transit includes,but is not limited to: files sent through electronic mail, files sent across or through mobile devices (e.g thumbdrives) and/or data sent through internet file transfer protocols (e.g SFTP, ACH).

Degaussing: Degaussing is exposing the magnetic media to a strong magnetic field in order to disrupt the recorded magnetic domains.

Data owner: The person who has been identified as having the ownership of the information asset.

Least privilege: Every program and every user of the system should operate using the least set of privileges necessary to complete the job. Primarily this principle limits the damage that can result from an accident or error. -This principle requires that each subject in a system be granted the most restrictive set of privileges (or lowest clearance) needed for the performance of authorized tasks only for the minimum amount of time necessary. The application of this principle limits the damage that can result from accident, error, or unauthorized use or activity.

Media sanitization: Media sanitization is a process by which data is irreversibly removed from media or the media is permanently destroyed. There are different types of sanitization for each type of media including: disposal, clearing, purging and destroying.

Obfuscation: Data masking or data obfuscation is the process of de-identifying (masking) specific data elements within data stores. The main reason for applying masking to a data field is to protect data that is classified as personal identifiable data, personal sensitive data or commercially sensitive data; however, the data must remain usable for the purposes of undertaking valid test cycles.

Role-Based Access Control (RBAC): A role-based access control (RBAC) policy bases access control decisions on the functions a user is allowed to perform within an organization. The users cannot pass access permissions on to other users at their discretion. A role is essentially a collection of permissions, and all users receive permissions only through the roles to which they are assigned, or through roles they inherit through the role hierarchy. Within an organization, roles are relatively stable, while users and permissions are both numerous and may change rapidly.

System Development Life Cycle (SDLC): The multistep process that starts with the initiation, analysis, design, and implementation, and continues through the maintenance and disposal of the system, is called the System Development Life Cycle (SDLC).

Multifactor (MFA) or Two-factor authentication (2FA): Authentication systems identify three factors as the cornerstone of authentication: Something you know (for example, a password); something you have (for example, an ID badge or a cryptographic key); something you are. Multi-factor authentication refers to the use of two of these three factors listed above.