- About IRT
- IRT Division
- Vice President & Chief Information Officer
AIRC Rm 3010 (map)
- Vice President & Chief Information Officer
Tools & Resources
- For Students
- For Faculty and Staff
- Security Services
- Training & Awareness
- Security News
Policy & Standards
Asset Management Standard
Assets that are in scope are defined as workstations, servers, network infrastructure device, removable media, personal devices, device terminals, cabinet, safe, room, and physical and electronic storage.
Asset Life Cycle
Acquisition of new assets that will use or maintain critical services or handle Level 1 and 2 data must be approved by the Information Security Office prior to purchase, to ensure that all potential security risks to the campus are identified, evaluated, and mitigated.
All such assets will undergo a risk assessment process in the following review areas:
All critical devices and applications and those handling Level 1 and 2 information (will special attention to servers and network equipment) must be registered with the Information Security Office upon acquisition.
All assets must be deployed using Sacramento State standard image builds, as defined in the Configuration Management Standard.
All applicable assets, as defined by the Information Security Officer, must comply with the following standards:
- Campus monitoring agent installed (KBox for workstations and laptops and Orion for servers.)
- Assets that are considered high risk will be monitored by the KBOX agent or Orion server to ensure patch management compliance. These assets will be annually audited to ensure that the Information Security Office records are up to date.
- Asset must run current anti-malware software.
- Any exceptions to the use of malware protection under campus guidelines must be approved through the exception process noted under Section 2.0 of the Supplemental Information Security Policy.
- Built off the Sacramento State standard campus image.
- Any exceptions to the use of campus standard images must be approved through the exception process noted under Section 2.0 of the Supplemental Information Security Policy.
- Assets that access Level 1 or Level 2 data must be registered with the Information Security Office.
When encryption is required by the ISO to protect campus information systems, data, or network resources, the following minimum requirements must be met:
Strong cryptography (e.g., Triple-DES, AES, etc.,) must be used. The cryptography must be certified by NIST or a similar organization.
Documented procedures and responsibilities for key management:
Encryption of Level 1 data in storage or prior to transmission may be required, to prevent the possibility of compromise, interception or misrouting.
Records subject to the disclosure under the California Public Records Act or required to be accessible for defined periods of time in compliance with CSU records disposition schedules shall be available to appropriate University officials at all times. Other information that may be required to conduct the University’s business shall also be available when needed. Therefore, at least one copy (the authoritative copy) of any such information shall be stored in a known location in unencrypted form, or if encrypted, the means to decrypt it must be available to more than one person.
All applicable assets must be maintained by an approved patch management process that ensures routine identification, evaluation, application and verification of software patches. All devices must regularly check for patch updates to ensure the asset is properly secured.
All campus assets must be made available to regular vulnerability scans. No device may be configured in such a way as to prohibit campus-wide vulnerability scanning, unless a written exception is provided by the ISO.
Critical Asset - Defined as any system or device that meets the security category of Critical in section 8045.100 Security of Servers and Network Attached Devices of the Supplemental Information Security Policy.
Workstations, laptops, and Servers – Defined as any state or auxiliary owned computer that is used to support the mission of the university. These assets must meet the following areas in order to comply with the asset standard.
Network Infrastructure Devices – Defined as any state or auxiliary owned devices that are used to connect, support or provide network or telecommunication services.
Removable Media – Defined as any state or auxiliary owned media that are use to facilitate a business need to transport or store electronic data. Examples are CD’s, DVD’s, Flash Drives, portable hard drive, backup tapes or any device that can be transported from one workstation to another.
End User Devices – Defined as any state or auxiliary owned devices that are assigned directly to a faulty or staff to conduct business functions. These devices are defined as smart phones (iPhone, Black Berry Etc.) or Personal Data Devices (Palm, iPad, Etc.).
Physical Assets – Defined as any state or auxiliary owned non electronic documents that contain Level 1 or Level 2 data.
Vulnerable assets – Defined as any device owned or not owned that exhibit elevated vulnerabilities, risk of compromise or have been compromised.
Network Attached Device - Defined as any device owned or not owned by the state or auxiliary that connects to the university network.
Defined as a physically secured location that has the following security controls:
- Alarms (notification to Public Safety)
- Backup Generator
- Enterprise class Uninterruptible Power Supplies (UPS)
- Fire Extinguishing System
- Dedicated HVAC System with Generator backup
- Monitored Access Control (velocity)
- Video surveillance (accessible by Public Safety)
Defined as a physically secured location that has the following security controls and requirements:
- Does NOT contain Confidential or Level 1 Data
- Access limited to key personnel
- Dedicated HVAC System
Network Telecommunication Closet
Defined as a physically secured location containing network infrastructure devices that has the following security controls:
- Access is restricted to NTS personnel and NTS authorized staff
- Is NOT accessible using a campus master key
- Has a dedicated HVAC system
- Is monitored by NTS personnel
Information Resources and Technology | Sacramento State | 6000 J St | Sacramento, CA, 95819-6065 | AIRC Building | 916.278.7337
If you have difficulty accessing content on this page, please contact us.