University Information Assurance Managment & Control Report (Assessment)

Introduction

The CIA triad is used to describe the information’s confidentiality, integrity, and availability as the most important features of an asset (Kim & Solomon, 2012, p. 10). Even though the concept of classification is most often associated with confidentiality, the rest of the features are also relevant in this respect. Classification procedures can be different for companies, which can be proved by the information policies of the University of Liverpool (2014) and University of Wisconsin (2015), but the general principle of information management appears to be more or less the same.

For example, both universities single out public assets that are open to anyone; open/internal information available to the staff and students; confidential/restricted information available to a much smaller number of stakeholders with necessary access; strictly confidential/confidential information that is not to be disclosed and can be managed by a very small number of people. Apart from that, the University of Liverpool (2014) introduces the secret level of assets confidentiality that is assigned through a specific procedure.

Main body

It should be pointed out that neither of the universities attempted to list all the assets in the publically distributed policy statements, but they provided examples. It can be suggested that the major information assets within a university can include the following groups.

• First, a university asset includes information about its courses, schools, majors, or, to sum up, the general information concerning its services. This information is public and should be available for anyone.
• Second, a university provides more detailed information concerning the courses and procedures concerned with studying and researching as an “internal” asset, that is, the data available to the staff and the students.
• Third, the policies of a university can be both public and internal or even restricted, depending on the end-user. For example, the policy concerning privacy can and should be made public so that any potential student could get acquainted with it. At the same time, the University of Liverpool (2014) secret assets status assignment procedure would probably be restricted.
• Fourth, the financial (for example, wages) and legal (for example, personal agreements) data concerning the university is most certainly going to be restricted to the point of being confidential; it is a requirement for the safe operation of the institution.
• Fifth, a university includes personal information concerning students and staff that can include, for example, their identification data, police records, medical records, and so on. This data, technically, belongs to the person it is concerned with; it is confidential, and disclosing it would damage a university’s reputation (University of Wisconsin, 2015). The level of confidentiality and accessibility should correspond to this fact, and the information needs to be particularly restricted and protected.
• Sixth, being a center of research, the university can possess research assets accumulated without the university’s contribution or with it. This asset is usually accumulated with the intent of assisting the students and staff in their studies and research; as a result, it is an internal asset. Public access to it is usually restricted, and fees are required.
• The seventh asset contains the research or project data produced by a university. It is supposed to be restricted or confidential, which is especially true for legal documents, for example, patents (University of Liverpool, 2014). Loss of such information discredits the University and endangers the copyrights of the people concerned.
• Eight, student performance data (examination papers, transcripts) could be defined as a separate asset due to the importance it holds for the university’s operation. The data is confidential, and specific procedures or clearances are necessary to gain access to it (University of Liverpool, 2014; University of Wisconsin, 2015).

For all the above-mentioned assets, integrity is vital. The last asset, however, includes the feedback concerning any university activity; it is a public asset that can be modified by anyone.

Testing the System

Research that is based in part on class activities, just like any other research would require the informed consent of the people participating in the said activities. In case the archived information concerning student performance would be required by the research, the level of the confidentiality of the required data would be assessed, and the decision concerning the access of the students would be made by data managers. The students would be informed about confidentiality requirements.

To provide the reports to the relevant bodies, the restricted information (concerning, for example, the economic status) will be managed by the people possessing necessary clearances. Given the fact that the data provided will only include aggregate, generalized information, no confidential data leakage will happen.

Student transcripts, as has been noted above, are confidential and should only be managed by the people with the necessary clearances. It is also important to note that careless transcript distribution would deal a blow to the university’s reputation (University of Wisconsin, 2015).

It would be logical to suggest that course and program content evaluation and improvement will be carried out by or with the help of people with the necessary clearances. If not, a request needs to be filed, and a decision must be made by the data managers.

Complaint investigation is a significant reason for providing the necessary data. It would most certainly be carried out by a person without the necessary clearance, but on a request, the data will be provided.

Evaluate how well your classification guide stands up to these tests. Are modifications needed, or do you need to completely rethink things?

As it has been noted, it is difficult to include all the necessary assets in such a short system, but from the point of view of the tests, this system appears to be usable; probably due to its extremely generic character. To make a system work, more details should be included, and more nuances should be provided.

References

Kim, D., & Solomon, M. (2012). Fundamentals of information systems security (2nd ed.). Sudbury, Mass.: Jones & Bartlett Learning.

University of Liverpool. (2014). Information Asset Classification Policy. Web.

University of Wisconsin. (2015). Information Asset Classification Policy. Web.