INFORMATION ASSET MANAGEMENT - 5305.5
Introduction: Information Asset Management (IAM) is a collection of knowledge or data that is organized, managed, and valuable. It involves safeguarding sensitive data ensuring that information is readily available to support decision-making, innovation, and operational efficiency.
Policy: Each Agency/state entity must understand the value of its information assets and the level of protection those assets require. To this end, each Agency/state entity shall establish and maintain an inventory of all its information assets, including information systems, information system components, and information repositories (both electronic and paper). The inventory shall list all programs and information systems identified as collecting, using, maintaining, or sharing Agency/state entity information. The inventory must include categorization and classification of the information assets by program management and based on the Information Security Program Management Standard (SIMM 5305-A), California Public Records Act (Government Code sections 7920.000-7931.000), Information Practices Act of 1977 (Civil Code Section 1798, et seq.), FIPS Publication 199, and laws governing administration of the Agency/state entity’s programs.
The categorization and classification of information assets shall be to determine an asset’s needed level of protection. If the information asset’s level of protection is not clear, the Agency/state entity is to protect the asset to the categorization level of “Moderate” as defined by FIPS Publication 199. Where the Agency/state entity is the custodian or user of the information asset and not the owner, as in the case of Federal Tax Information, Criminal Justice Information Services information, and so forth the Agency/state entity shall ensure the data owner specifies the level of protection. The Agency/state entity shall adhere to the data owner’s classification and level of protection requirements.
Each information asset for which the Agency/state entity has ownership responsibility shall be inventoried and identified to include the following:
- Description and value of the information asset.
- Owner of the information asset.
- Custodians of the information asset.
- Users of the information asset.
- Classification of information.
- FIPS Publication 199 categorization and level of protection (Low, Moderate, or High).
- Importance of information assets to the execution of the Agency/state entity’s mission and program function.
- Potential consequences and impacts if confidentiality, integrity, and availability of the information asset were compromised.
The Agency/state entity must protect all personal information defined by the California Information Practices Act (Civil Code Sections 1798.3 and 1798.29), and medical information and individually identifiable information defined by the California Medical Information Act (Civil Code Section 56.05) to a minimum FIPS Publication 199 categorization level of “Moderate”.
Implementation Controls: NIST SP 800-53: Planning (PL); Program Management (PM); Information Security Program Management Standard (SIMM 5305-A); and FIPS Publication 199.