Component Integration and Removal

Op12.07-9 Component Integration and Removal

Definitions

Component: Hardware asset used for the digital processing and/or storage of information. Examples include computers, multifunction devices (printers/copiers/scanners), USB drives, internal and external hard drives, and network equipment.

Removal: Sale, return, disposal, transfer, or destruction of a component.

Information System Owner: The information system owner is an organizational official responsible for the procurement, development, integration, modification, operation, and maintenance of an information system. The information system owner is responsible for addressing the operational interests of the user community (i.e., users who require access to the information system to satisfy mission, business, or operational requirements) and for ensuring compliance with information security requirements.

Policy statement

All components must have an administrator with clearly defined responsibilities for the maintenance of that asset. If responsibilities are delegated, the information system owner retains ultimate responsibility.

Asset purchases must not disrupt the security integration of any other asset and are subject to any acceptable use policy established by the University.

Components must have safeguards implemented that are commensurate with risk. This includes, but is not limited to:

  • Regular patch management/updates for hardware firmware, operating systems, and applications.
  • Controlled access/connectivity to the network, including properly configured remote access.
  • Strict guidelines for hardware component retirement or redeployment including the elimination of data stored on that component.
  • Account management based on least privilege (e.g., admin accounts/privileges, default accounts).
  • Auditing/logging enabled (servers, firewalls, etc.).
  • Disabling services (e.g. file sharing) that are vulnerabilities, unless required.
  • Detailed installation procedures, which include having an understanding of what the asset/equipment will be used for (e.g., credit card processing, managing Personally Identifiable Information (PII)) in order to provide maximum security and ensure compliance with regulations.
  • Appropriate physical security.
  • Environmental consideration.
  • Consider the confidentiality of output (e.g., printouts, emailed files, extraction of data to be tested) based on the Information Classification Policy and handle accordingly.
  • Consideration of copyright laws (e.g., pirated software, etc.).