Component: Hardware asset used for the digital processing and/or storage of information. Examples include computers, multifunction devices (printers/copiers/scanners), thumb drives, internal and external hard drives, and network equipment.
Removal: Sale, return, disposal, transfer, or destruction of a component.
Owner: Entity that controls the use and maintenance of a component.
All components must have an owner with clearly delineated responsibilities for the maintenance of that asset. If responsibilities are delegated, the asset owner retains ultimate responsibility. Asset purchases must not break the security integration of any other asset and are subject to any acceptable use policy established by the University.
Missouri State University shall have standards for protecting and managing its computer components based upon the frameworks cited in the overall Information Security Policy. Those components must have safeguards implemented that are commensurate with risk. Best practices include, but are not limited to:
- Regular patch management/updates for hardware firmware, operating systems, and applications.
- Controlled access/connectivity to the network, including properly configured remote access.
- Strict guidelines for hardware component retirement or redeployment including the sanitizing of any data stored on that component.
- Account management based on least privilege (e.g., admin accounts/privileges, default accounts).
- Auditing/logging enabled (servers, firewalls, etc.).
- Disabling services (e.g. file sharing) that are vulnerabilities, unless required.
- Detailed installation procedures, which include having an understanding of what the asset/equipment will be used for (e.g., credit card processing, managing Personally Identifiable Information (PII)) in order to provide maximum security and ensure compliance with regulations.
- Appropriate physical security.
- Environmental consideration.
- Consider the confidentiality of output (e.g., printouts, emailed files, extraction of data to be tested) based on Data Classification policy and handle accordingly.
- Consideration of copyright laws (e.g., pirated software, etc.).
Reason or Purpose for Policy
Components must be appropriately managed in order to protect confidentiality, integrity and availability of data entrusted to the University and to abide by applicable law.
Entities Affected by this Policy
All entities contained in or under the direction of the Missouri State University system.
Line of Authority
- Responsible Administrator and Office: Chief Information Officer (CIO)
- Contact Person in that Office: Information Security Officer (ISO)