APPROVED: January 28, 2021
EFFECTIVE: January 28, 2021
Board Policy (BP) 6-10, Cyber Security Policy
System Procedure (SP) 6-10a, Acceptable Use of Information Assets
System Procedure (SP) 6-10k, Data Classification, Handling, and Protection
System Procedure (SP) 6-10p, IT Risk Management
System Procedure (SP) 6-10t, Security Testing
/ Joe Garcia /
Joseph A. Garcia
This procedure documents how the Colorado Community College System including its Colleges (“CCCS”) manage those Information Assets that are the responsibility of the System Information Technology Department (“System IT”) and the College Information Technology Department (“College IT”).
This procedure does not replace, nor does it conflict with fiscal asset procedures. The intent of this procedure is for IT departments to track Information Assets in a way that can inform cyber security risk analysis.
An Information Asset inventory is an important tool that informs management about Information Assets and the risks they pose to cyber security.
This procedure applies to Information Assets owned, leased, managed and maintained by System IT or College IT or by third parties on behalf of CCCS.
Information Asset is defined as any equipment that is used in the acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information. Information Asset includes, but not limited to, computers, laptops, servers, removable electronic media, mobile devices, and Internet of Things (IoT) devices.
The System Chancellor delegates to the System Vice Chancellor for Information Technology responsibility for oversight of compliance with and implementation of this procedure. Further, the System Chancellor delegates to the College Presidents the responsibility to implement and compliance with this procedure at their respective institution.
Authorized Use of Technology
The use of System IT and applicable College IT Information Assets (e.g., computers, laptops, removable electronic media, mobile devices, etc.) shall require supervisor approval.
Newly acquired Information Assets must adhere to approved System IT and College IT standards. The acquisition of any computer hardware or software shall require approval of the System IT or College IT. System IT or College IT shall not permit the introduction of Information Assets that are incompatible with existing infrastructure and operating systems. Users who download or acquire Information Assets without following the proper procurement and approval process are personally responsible and liable for any such uses.
Acquired Information Assets will be processed through System IT or College IT. Assets shall be labeled with an asset identification tag by IT Purchasing Agents and Fiscal Asset Management under the fiscal inventory procedure(s).
Information Assets are not to be deployed until they have been properly received and registered in the IT asset inventory. The IT asset inventory shall, at a minimum, list Information Assets along with the model number, serial number, location and authorized user(s).
System IT or College IT shall store spare IT equipment and software installation files in a secured, designated location.
Return of Faulty Equipment
An Information Asset that is faulty, damaged, broken, or is no longer needed shall be returned to the appropriate IT department.
Information Assets shall be kept in good working order and records shall be kept that document repairs and modifications.
Reuse / Disposal of Assets
The reuse and disposal of Information Assets is the responsibility of System IT and each College IT. Information Asset disposal will be performed in accordance with the Data Classification, Handling, and Protection Procedure and the Data Retention and Fiscal Disposal Procedures outlined in SP 8-80, Surplus Property, and SP 8-81, Surplus Property Disposal Procedure for System Office Departments.
CCCS reserves the right to change any provision or requirement of this procedure at any time and the change shall become effective immediately.