Standards for Owners of Information Assets

120. 
     Owner Compliance: SCO Division management shall abide by, and ensure their staff comply with SCO, State, and Federal (when applicable) policies, laws, rules, regulations, standards, and procedures pertaining to information security, confidentiality, and privacy when handling information assets by or entrusted to the SCO.
     
121. 
     Information Asset Classification: SCO Divisions shall ensure the SCO information and applications for which they are responsible are appropriately classified. (Reference: Management Security Standards 200 and 201.)
     
122. 
     Risk Assessment: SCO Divisions shall determine, in coordination with the SCO Information Security Office and custodian(s) of information, appropriate security controls (i.e., safeguards or countermeasures) for the information assets for which they are responsible and shall identify the resources needed to implement those controls. (Reference: Management Security Standard 202.)
     
123. 
     Security Management: SCO Divisions shall ensure information security is planned for, documented, and integrated into the system life cycle (SLC) for all information technology projects that involve the processing, transport, or retention of information that is classified as confidential or sensitive, and for business critical applications and processes. (Reference: Management Security Standards 203 and 204.)
     
124. 
     Owner Acceptable Use Policy: SCO Divisions shall develop information user “acceptable use” and “rules of behavior” for information assets for which they are responsible.
     
125. 
     Owner Authorization Approval: SCO Divisions shall authorize access to, and use of, the information assets and facilities for which they are responsible.
     
126. 
     Access Authorization Reviews: SCO Divisions shall conduct annual reviews of user accounts to validate the continued need for access to and use of the information assets for which they are responsible.
     
127. 
     Access and Use Agreements: SCO Divisions shall establish and manage agreements with non-SCO state entities and non-state entities for which the division has authorized access to, or use of, an SCO information asset for which they are responsible. Agreements with non-SCO state entities and non-state entities shall, at a minimum, cover:
     

1. 
   Appropriate levels of confidentiality and privacy for the information based on classification.
   
2. 
   Standards for transmission and storage of the information, if applicable.
   
3. 
   Agreements to comply with all divisional requirements, SCO ISPM standards, and state and federal laws regarding the security and use of the information asset.
   

4. 
   The use of signed confidentiality and non-disclosure user statements.
   
5. 
   Requirements for the non-SCO state entities and non-state entities to apply security patches and upgrades and to keep virus software up-to-date on all systems on which the information asset may be accessed from or used on.
   
6. 
   A requirement to notify promptly the division and the SCO Information Security Office if an information security incident involving the information asset occurs.