Asset Management Policy
Overview
Purpose
The purpose of the asset management procedure is to help Edge Services and Solutions LLC (herein after called the ‘Company’). Company and all its subsidiaries’ identify, understand, and assess its assets, mitigate the risks surrounding these assets and comply with the firm standards and applicable information protection and handling laws and regulations.
It provides a process to identify and classify assets, record their information, and manage their lifecycle.
In addition, the asset management procedure provides clear guidelines on information assets handling based on their categories, types and classification.
Scope
The asset management procedure applies to:
- electronic and non-electronic information assets that are capable of storing and/or processing information.
- employees, contractors including third-party suppliers and temporary staff.
Roles and Responsibilities
Position | Roles & Responsibilities |
Service Owner |
|
IT team |
|
Information Security Steering Committee (ISSC) |
|
Director-Cyber security/CISO |
|
HR Team |
|
Internal Audit Team |
Completeness and accuracy.
|
Asset Management
Inventory of Assets
The Director-Cyber security / CISO prepares the list of all services provided by the company then confirms its validity and completeness during the Information Security Steering Committee (ISSC) meeting.
Once the list of services is completed, service owners identify supporting assets to their service. Assets may then be categorized based on their type as presented in the table below. Refer to Appendix A for guidelines on asset categorization.
Type | Format | Asset Example |
Softcopy | Electronic | Database, Data files, Emails |
Hardware | Electronic | Servers, Network components, Desktops, printers, laptops |
Software | Electronic | Applications |
Hardcopy | Non-Electronic | Business documents, procedures, contracts |
Supporting Utilities | Electronic | Electricity and air-conditioning |
People | Non-Electronic | Employees, Third parties/Contract employees |
All assets, irrespective of their sensitivity and criticality, shall be recorded in a detailed asset inventory with an assigned identifiable owner and classification. Information in the inventory shall be kept accurate, current and comprehensive.
The asset inventory should capture:
Field Name | Description |
Service Name | The service associated with the asset. |
Asset ID | A unique identifier of the asset. |
Asset Description | A high-level description of the information asset. |
Service Owner | The person accountable for the overall operation and maintenance of the service. |
Asset User | The person, department, section or group that uses the asset. |
Asset Classification | The security classification of the asset, which can be public, internal use, confidential or secret. Refer to Appendix A – Confidentiality classification Levels for a detailed description of each of the mentioned classification levels. |
Asset Category | The asset categories defined in Section 4.1 such as soft copy, software, hardware, hard copy and people. |
Date of Assignment | Date in which the asset is assigned to the user / group. |
HR team shall maintain people asset inventory, Employee ID and Contractor ID shall be used for identification.
Physical asset details (if applicable):
- Make or model.
- Date of purchase.
- Serial Number (the serial number indicated on the physical asset)
- Date of Installation / Commission
An audit should be conducted at least half-yearly once to assess if the inventory is up to date, accurate and complete.
Refer to Appendix C for the asset inventory template.
Ownership of Assets
Assets should have a designated owner within the firm, typically owners of assets are the service owners Details of asset ownership shall be recorded in the asset inventory.
The asset owner shall:
- Ensure that all assets are recorded in the asset inventory.
- Ensure that assets are sufficiently managed and protected based on security requirements over the whole asset lifecycle.
- Review Asset access restrictions based on information classification taking into account applicable access control policies on a half-yearly basis.
Return of Assets
Employees are responsible for all firm property, materials, or written information issued to them or in their possession or control. Employees must return all firm assets in their possession on or before the last day of work.
On receipt of the asset, the IT team should update the asset inventory by updating the asset information such as service owner, asset location, assigned user etc.
The HR team should ensure that the resigned / terminated employee has returned all assets assigned to him before proceeding with the end of service processes and payments.
Information security objective
Overview
All information held by the firm should be classified and labeled to ensure that information receives an appropriate level of protection in accordance with its importance and that firm employees are aware of the sensitivity of the information they are handling and the associated requirements to keep it secure. Each classification level may have restrictions on how the information assets should be stored, maintained, transmitted, and shared.
Classification
Classification | Description |
Public | Contains any data intended for public consumption; information that may or must be available to the general public. It is defined as information with no existing local, national, or international legal restrictions on access or usage. |
Internal Use | Information that must be guarded due to proprietary, ethical, or privacy considerations and protected from unauthorized access, modification, transmission, storage, or other use. This type of information is only accessible to Company employees. |
Confidential | Information protected by statutes, regulations, government policies, or contractual language. Confidential data is only accessible to Company employees on a need-to-know basis, at the data owner’s discretion, and for legitimate business purposes. Information that can be shared only with specific authorized personnel with required approvals. |
Secret | Secret Information is accessible only to the Executive team |
The following guidelines should be noted when performing asset classification:
- The default classification for all information assets shall be ‘confidential’ until a specific
Classification is assigned by the service owner.
- The classification of an information system shall correspond to the highest classification of data present on or passing through it.
- An asset associated with two or more services should reflect the highest classification of those services.
- Clients may specify controls to be applied when handling their confidential information that are contractually binding. Any such contractual undertakings will take precedence over firm classifications.
- The classification of information assets shall be regularly reviewed by the information asset’s respective owners in coordination with the information security team.
Information Labeling
Information assets, whether electronic or non-electronic, must be appropriately labeled in accordance
with the firm’s information classification.
Classification | Labelling Requirements |
Public | No label is required for information classified as public. |
Internal Use | Hard copy and soft copy documents shall be marked in the footer of each page and cover page with “For Internal use’’. |
Confidential | Hard copy and soft copy documents shall be marked in the footer of each page and cover page with “confidential”. |
Secret | Hard copy and soft copy documents shall be marked in the footer of each page and cover page with “Secret”. |
The following guidelines should be noted during labelling of information:
All document templates shall be designed to allow application of relevant classification labels by the document owner.
Information Handling
Overview
Information assets should be handled according to the classification assigned to the information, the information should be protected from unauthorized disclosure or misuse while the information is being processed, during storage and transit, and upon disposal.
Storage Media Handling
Management of removable media should be in accordance with the firm’s information classification framework. All media should be stored in a safe, secure environment, in accordance with manufacturers’ specifications. Media should be disposed of securely to minimize the risk of confidential information leakage to unauthorized persons.
The following guidelines should be noted:
- The service owner shall authorize the movement or removal of portable media from controlled areas.
- Hardcopy confidential information and media containing such information must be locked in file cabinets, desks, safes, or other secure cabinets when not being actively used by employees. Keys should be maintained only by the ADMIN manager and other authorized management personnel.
- Drives must be maintained and cleaned on a regular basis to prevent damage to media. Where information requires retention beyond its storage medium’s lifetime, it must be transferred to new media to avoid data degradation and loss.
- Where information is classified as ‘secret’, cryptographic techniques should be used to protect the data on removable media. Archived data classified as ‘secret’ must be stored separately in multiple copies on different media with defined limited access rights.
- Detailed logs of removable media related to critical information systems shall be maintained.
- Information storage media (including paper documents, reports, program listings and system documentation; magnetic tapes, disks and optical storage media) must be disposed of securely such that data that was available on the storage media cannot be retrieved. Information storage devices containing Company information must be physically destroyed or securely overwritten using approved software and procedures according to the highest classification of information. Details of media disposal shall be recorded and verified.
- All items of equipment containing storage media, such as hard disks, shall be checked to ensure that any sensitive information has been securely removed or overwritten prior to disposal.
- Paper bins, storage racks, tape carriers and other containers that accumulate information storage media destined for secure disposal must be protected against theft and unauthorized access in accordance with the classification level of information.
- The Firm will comply with country laws and regulations when disposing information systems or electronic media.
Physical Media in Transit
Physical storage media used to store or process the firm and client confidential information should be protected against unauthorized access, misuse, or corruption during transportation.
The following guidelines should be noted:
- Only encrypted, firm approved storage media devices, can be used to transport firm and client confidential information, and should be transported by authorized couriers under the agreed processes unless they can be transported by employee.
- Before physical storage media can be transported, devices should be fully powered off and cyber security director / CISO approval should be obtained.
- Packaging of removable media should be sufficient to protect the contents from any physical damage likely to arise during transit and in accordance with any manufacturers’ specifications, for example protecting against any environmental factors that may reduce the media’s restoration effectiveness such as exposure to heat, moisture or electromagnetic fields.
- Logs should be kept, identifying the content of the media, the protection applied as well as recording the times of transfer to the transit custodians and receipt at the destination.
Disposal of Media
- Detailed procedure for asset disposal are provided in Media Handling Procedure.
- The IT Team should update the asset inventory with the details of media disposal.
Appendices
Appendix A: Asset Categorization
The complexity, levels and features of the asset categories shall be determined according to its requirements. Multiple aspects should be considered when defining the categories, including but not limited to:
- Asset Format: The asset format may be the primary layer for establishing the categories as it affects the methods used to secure and protect the information asset. Typically, the format can be electronic or non-electronic.
- Type: Assets may then be categorized based on their type listed below.
- E-Files: Databases, data files, audit trails, and archived information.
- Fixed Hardware: Computer equipment such as servers, desktops, modems, and printers as well as communication equipment such as network devices and fax machines.
- Mobile Hardware: Laptops, removable backup media, smartphones, and other mobile equipment.
- Software: Application software, system software and development tools.
- Documents: Hard copy document such as contracts, system printed documentation, user manuals, procedures, business continuity plans and other business-critical or proprietary documents.
- Personnel: This would include personnel (employees) required to support and run services, including their qualifications, skills, and experience.
- Physical: Buildings, desks, storage rooms and cabinets.
- Supporting Utilities: Heating, lighting, electricity, and air-conditioning