A.8 Resolver IT Asset Management Policy

1. Overview

Asset management is the process of receiving, tagging, documenting, and eventually disposing of equipment. It is critically important to maintain up to date inventory and asset controls to ensure computer equipment locations and dispositions are well known.  Lost or stolen equipment often contains sensitive data. Proper asset management procedures and protocols provide documentation that aids in recovery, replacement, criminal, and insurance activities.

2. Purpose, scope, and users

This policy provides procedures and protocols supporting effective organizational asset management specifically focused on tangible and intangible informational technology assets

This document is applied to the entire Information Security Management System (ISMS) scope and all personal data processing activities.

Users of this document are all Resolver’s employees

3. Reference documents

  • ISO/IEC 27001:2013 standard, controls A.8.1.1, A.8.1.2
  • Information Security Policy.
  • A.11.2_Resolver_Disposal_and_Destruction_Policy.

4. Physical IT assets

4.1. Responsibility

Resolver’s corporate IT department is the main Corporate IT assets Owners

4.2. IT support infrastructure

Switches, routers, Wi-Fi access points, VoIP telephony devices, personnel identification, and authentication/access control devices (card-access systems, etc.) and other security devices (CCTV, etc.)

4.3. IT hardware

Computing and storage devices e.g. desktops, workstations, laptops, tablets, servers, communications devices (network nodes), printers/copiers/FAX machines and multifunction devices, and other IoT devices.

5. IT service assets

User authentication services and user administration processes, firewalls, proxy servers, network services, wireless services, anti-spam/virus/spyware, intrusion detection/prevention, teleworking, security, FTP, email/IM, etc., Web services, software maintenance, and support contracts.

6Asset Value

Assets that cost less than $350 shall not be tracked, including computer components such as smaller peripheral devices, hard drives, and portable hard drives, and other IoT devices.

However, assets, which store data regardless of cost, shall be tracked either as part of a computing device or as a part of network-attached storage. These assets include:

  • Network Attached Storage (NAS), Storage Area Network (SAN), or other computer data storage.
  • USB Portable Hard drives.

7Asset Tracking Requirements

The following procedures and protocols apply to asset management activities:

An asset-tracking database shall be created to track assets. It shall minimally include purchase and device information including:

  • Date of purchase
  • Make, model, and descriptor
  • OS type and version
  • Serial Number
  • Type of asset
  • Owner
  • Location
  • Department
  • Purchase Order number
  • Risk Level Category

Prior to deployment, IT Department staff shall enter the asset information in the asset tracking database.  All assets maintained in the asset tracking database inventory shall have an assigned owner.

8. Information assets

8.1. Digital data

Personal, financial, legal, research and development, strategic and commercial, email, voicemail, databases, personal and shared drives, backups / digital archives, encryption keys.

8.2. Tangible information assets

Personal, financial, legal, research and development, strategic and commercial, FAXes, and other backup/archival materials, keys to safes/offices, fobs, and other media storage containers.

8.3. Intangible information assets

Knowledge, business relationships, trade secrets, licenses, patents, trademarks, accumulated experience and general know-how, corporate image/brand/commercial reputation/customer confidence, competitive advantage, ethics, productivity.

8.4. Application software

In-house/custom-written systems, client software (including shared or single-user ‘End User Computing’ desktop applications), ’commercial off-the-shelf’ (COTS), ERP, MIS, databases, software utilities/tools.

9. Hosted Resolver’s production environments assets

9.1. Responsibility

DevOps Department

9.2. Production Virtual server

All Virtual servers or deployed on dedicated bare-metal hardware servers are deployed in hosted Virtualization platforms in all Resolver’s production environments shall be tracked in DevOps database inventory.

10. Assets Classification

Please refer to the “Resolver Corporate Applications Business Owners” document.

11. Asset Disposal and Repurposing

Please refer to “A.11.2_Resolver_Disposal_and_Destruction_Policy”

12. Validity and document management

This document is valid as of July 2020.

The owner of this document is an Information Security Analyst who must check and, if necessary, update the document at least once a year.

When evaluating the effectiveness and adequacy of this document, the following criteria need to be considered:

  • the number of incidents arising from the unclear definition of the ISMS scope.

EFFECTIVE ON: September 2020

REVIEW CYCLE: Annual at least and as needed

REVIEW, APPROVAL & CHANGE HISTORY: Last time reviewed and approved in August 2020 by Resolver’s Information Technology Security team.