1 / 7

New Asset Management Policy Released!

We are excited to share our latest Asset Management Policy, developed to provide a clear and structured approach to identifying, safeguarding, and managing organizational assets at ABC Corp.<br>ud83dudd10 Key Highlights Include:<br>ud83dudccb Asset Identification & Inventory<br>ud83dudc64 Ownership & Accountability<br>ud83cudff7ufe0f Information Classification (Confidential, Internal, Public)<br>u2705 Acceptable Use & Retention Policies<br>ud83dudcbe Media Handling & Secure Disposal<br>ud83cudff7ufe0f Proper Labeling of Assets<br><br>This policy empowers every employee and contractor to protect critical information and systems, ensuring compliance and operational integrity.

Azpirantz
Download Presentation

New Asset Management Policy Released!

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Asset Management Policy v1.0 Classification: Internal Sample Asset Management Policy Document ID: NN-NNN-NN Page 1 of 7

  2. Asset Management Policy v1.0 Classification: Internal Version Control Version Date Prepared By Reviewed By Approved By 1.0 dd-mm-yy Change History Version Description of Change 1.0 First release Distribution List 1.Write the target audience who should receive a copy of this document. 2. 3. This document is created by the Azpirantz Marketing Team. For expert consulting aligned with your business needs, please reach out to sales@azpirantz.com. Document ID: NN-NNN-NN Page 2 of 7

  3. Asset Management Policy v1.0 Classification: Internal Purpose The purpose of this policy is to provide a structure for identifying and safeguarding organizational assets by establishing clear protection rules and responsibilities. Scope This policy covers all information assets and information processing systems used for receiving, transmitting, processing, and storing information assets within ABC Corp. Responsibility All employees and contractors are accountable for adhering to this policy. The Information Security Steering Committee has the authority to enforce it, and all Functional Heads are responsible for ensuring its implementation within their domains. Policy Statements Responsibility of Assets To ensure proper protection and accountability, the following principles govern the management of organizational assets: ●Asset Identification: All information assets, including data and the systems used to process it, must be clearly identified. This ensures that every valuable resource is accounted for. ●Asset Inventory: A comprehensive inventory of all identified assets must be created and maintained. This inventory serves as a central record for tracking and managing assets. ●Inventory Maintenance: The asset inventory must be regularly updated to reflect any changes, such as additions, removals, or modifications. Periodic audits will be conducted to verify the accuracy of the inventory. ●Asset Ownership: For each asset, a specific owner must be designated. This individual is responsible for the overall security and management of that asset. ●Owner Accountability: The asset owner is ultimately responsible for ensuring the security of their assigned assets. While routine security tasks can be delegated, the owner retains overall accountability. ●Asset Return: Upon termination of employment, contracts, or agreements, all employees, contractors, suppliers, and vendors must return any organizational assets in their possession. ●Reporting Unreturned Assets: Any assets not returned as required must be immediately reported to the relevant managers to ensure prompt action to recover and secure the assets. ●Asset Tracking: Throughout the asset's lifecycle, its location and custody must be clearly documented and traceable. This ensures that the asset's whereabouts are known at all times. Information Classification Document ID: NN-NNN-NN Page 3 of 7

  4. Asset Management Policy v1.0 Classification: Internal ●Responsibility for Classification: The individual responsible for each information asset (the "owner") is accountable for determining the correct classification. This means they must decide how critical and sensitive the information is. ●Protection Based on Classification: The owner is also responsible for ensuring that the information is protected according to its classification. This includes preventing unauthorized access (disclosure), unauthorized changes (modifications), and ensuring that the information is available when needed (availability). ●Verification of Protection: To confirm that the protection measures are effective, the asset owner can request an internal audit. This audit helps ensure that the information is being handled according to its classification. All information assets will be assigned to one of the following classification categories listed below, each with its own set of protection requirements: Confidential This classification applies to information whose compromise through theft, unauthorized disclosure, modification, or unavailability would significantly harm the organization's operations or its relationships with business partners. This category represents data with a high business impact. ●Ownership and Access Control: ○The "Owner" holds the authority to determine if an information asset is classified as "Confidential." ○The Owner also specifies who is authorized to access the information asset, defining roles or individuals. ○Furthermore, the Owner can impose specific access restrictions, such as limiting the ability to view, copy, delete, or edit the information, as needed. ●Examples of Confidential Information: ○Credit and debit card details (Cardholder Data), subject to PCI compliance. ○Patient healthcare information, as governed by HIPAA regulations. ○Statements of Work (SOWs), which may contain sensitive project details. ○Signed client agreements, which often include proprietary or sensitive terms. ●Handling Requirements: ○Access to confidential information, particularly privacy and financial data, must be strictly limited to personnel with a justified business need. Document ID: NN-NNN-NN Page 4 of 7

  5. Asset Management Policy v1.0 Classification: Internal ○Confidential information, including privacy and financial data, must be securely destroyed once its authorized purpose is fulfilled, to prevent unauthorized access or disclosure. This destruction must be done in a way that prevents the retrieval of the data Internal Internal' information refers to sensitive information that, if publicly disclosed, could negatively impact the organization. This includes details concerning our operational processes, facility layouts, strategic planning documents, and any information providing insight into our internal workings. To protect the organization, 'Internal' classified information assets must not be shared externally through any means, including email, printed copies, or digital transmissions. Example: Documents detailing internal processes or facility layouts are considered 'Internal'. Public Information classified as 'Public' is intended for broad distribution and can be shared with anyone inside and outside the organization. This category includes materials designed for public consumption, such as product or service brochures, marketing materials, and other information that promotes our offerings. Essentially, if the information is meant to be seen by the general public, it's considered 'Public.' Classification Review and Breach Reporting: To ensure accuracy, the owner of each information asset must regularly review the assigned classification level. This periodic review allows for adjustments as information sensitivity changes over time. Importantly, any suspected or confirmed breach of information regardless of whether it's classified as Confidential (including privacy data) or Internal, must be immediately reported to the incidents team. This prompt reporting is crucial for mitigating potential damage and ensuring the organization's security. Acceptable Use of Assets To ensure the proper and secure use of company resources, each asset owner is responsible for establishing clear guidelines on how those assets should be used. This includes defining rules for information assets (like data and software) and the systems used to process that information (like computers and servers). Specifically, the asset owner must: Document ID: NN-NNN-NN Page 5 of 7

  6. Asset Management Policy v1.0 Classification: Internal ●Define Usage Rules: Create clear and specific rules that outline permissible and prohibited activities related to the asset. ●Regularly Review: Reassess these rules at least annually, or whenever the asset's classification changes, to ensure they remain relevant and effective. ●Ensure Compliance: Take steps to ensure that all users of the asset adhere to the established rules. This might involve training, monitoring, or implementing security controls. ●Communicate Rules: Clearly communicate these rules to all relevant individuals who have access to or use the asset, ensuring everyone understands their responsibilities. Retention of Data & Records ●Requirement Identification: The asset owner is required to identify all applicable legal, regulatory, contractual, and business requirements that dictate the retention periods for their respective data and records. ●Requirement Review and Update: The asset owner is responsible for the ongoing review and timely update of data and records retention requirements, reflecting any changes in legal, regulatory, contractual, or business obligations. ●Retention Compliance: The asset owner shall ensure that data and records are retained for the full duration specified by the identified requirements. ●Communication: The asset owner shall communicate the applicable data and records retention requirements to all relevant stakeholders. Media Handling ●Protection: Media containing information assets shall be protected against unauthorized access, misuse, corruption, and ensure availability. ●Ownership: Ownership of all media shall be explicitly defined and documented. ●Tracking: A log of issuance, possession, and custody shall be maintained for all media containing information assets. ●Log Maintenance: The media custodian is responsible for maintaining the issuance, possession, and custody log. ●Return of Media: All media shall be returned to the owner or custodian upon completion of the assigned task. ●Transportation Security: Media used for the transportation of information assets shall be protected against unauthorized access and corruption during transit. Document ID: NN-NNN-NN Page 6 of 7

  7. Asset Management Policy v1.0 Classification: Internal ●Secure Disposal (Reuse/Reissue): Prior to reuse or reissue for any purpose, the information stored on media shall be securely disposed of, ensuring that data retrieval is impossible. ●Secure Disposal (End of Life): Media shall be securely disposed of when no longer required. ●Disposal Procedures: Secure media disposal procedures shall be defined and documented. Labeling ●Asset Labeling: All information assets, whether in physical or electronic format, shall be labeled according to their assigned classification level. ●Container Labeling: Where individual assets cannot be labeled, containers storing information assets shall be labeled according to the classification level of the contained assets. ●Label Specifications: Labels shall be of appropriate size, affixed in a readily visible location, and clearly readable. ●Classification Indication: Labels must clearly indicate the classification level of the information asset (Confidential, Internal, or Public). ●Ownership Indication: Labels must identify the owner of the information asset. ●Label Updates: Labels shall be updated immediately upon any change in the classification level or ownership of the information asset. Note: This document serves as a template. Organizations are required to develop a comprehensive policy that incorporates specific legal, regulatory, contractual, and business requirements. Document ID: NN-NNN-NN Page 7 of 7

More Related