100 word response due 2/18/2023
Rosado
The policy selected from section 12.5.1.3 in the class text was the Information Asset Management Policy, which is used in the proper handling of systems that access, store, and process sensitive information. I chose this policy because it is central to any data processor or data provider and because, as researchers, the information we access and process may need to be handled with care and so too will the assets we use to process, access, and store the information. An article I found mentioning this policy was one published by Evans and Price (2014) titled “Responsibility and Accountability for Information Asset Management (IAM) in Organisations.”
What I learned from this article was that, at least back in 2014, organizations truly didn’t spell out who was responsible for Information Asset Management (IAM) and who to hold accountable. Furthermore, the authors pointed out that after polling a few executives, their policies often fortified Financial resources and physical information systems, but not the intangible. It was clear that at the time, the intangible may have been left out and may continue to be left out from governance policies, depending on the organization’s approach to their policy construction. The authors proposed two primary activities in their continuing research, including examining the board and its role in IAM alongside pursuing business impact assessments to determine the loss value of the organization in the case of IAM failure, including the intangible.
The U.S. Department of Health and Human Services (HHS, 2023) publishes an Information Technology Asset Management policy (ITAM for short) that is reviewed every few years. In its glossary and acronyms section, they define many asset types: Hardware Assets, Information Technology Assets, and Software Assets. Apart from listing information technology as an asset category, they included Software, and while they hadn’t denoted licenses as an asset, they also have a management policy around them. In the linked policy page for the HHS, the roles and responsibilities are broken down in detail, something that Evans and Price (2014) mentioned in their article is normally not well defined. Contact information and approval history, along with appendices, were included in this policy. For those seeking to know what is placed in this type of policy, this may be a good start.
For this discussion: 100 word response due 2/18/2023
https://resources.infosecinstitute.com/topic/essentials-acceptable-use-policy/
- Find an article (preferably peer-reviewed) that discusses one of the policies mentioned in the above section (any one of the policies will do – it is your choice)
- Read the article, and (if you can find supporting information from a qualified website (maybe an organization that has posted a policy), use that information too)
- Provide a summary of the article and supplemental information source
- Upload the article and a PDF of the information source if you can, or supply the URL to the information source
- Besides the summary, provide information as to why you selected the policy and information source
