Asset management is the process of receiving, tagging, documenting, and eventually disposing of equipment. Maintaining up-to-date inventory and asset controls is critical to ensure computer equipment locations, classification and status are well known. Lost or stolen equipment often contains sensitive data. Proper asset management procedures and protocols provide documentation that aids in recovery, replacement, criminal, and insurance activities.
This policy provides procedures and protocols supporting effective organizational asset management specifically focused on tangible and intangible information technology assets
This document is applied to the entire Information Security Management System (ISMS) scope and all personal data processing activities.
Users of this document are all Resolver’s employees.
Resolver’s corporate IT department is the main Corporate IT assets owner.
Switches, routers, Wi-Fi access points, VoIP telephony devices, personnel identification, and authentication/access control devices (card-access systems, etc.) and other security devices (CCTV, etc.)
Computing and storage devices e.g. desktops, workstations, laptops, tablets, servers, communications devices (network nodes), printers/copiers/FAX machines and multifunction devices, and other IoT devices.
User authentication services and user administration processes, firewalls, proxy servers, network services, wireless services, anti-spam/virus/spyware, intrusion detection/prevention, teleworking, security, FTP, email/IM, etc., Web services, software maintenance, and support contracts.
Assets that cost less than $500 shall not be tracked, including computer components such as smaller peripheral devices, hard drives, and portable hard drives, and other IoT devices.
However, assets that store data, regardless of cost, shall be tracked as part of a computing device or network-attached storage. These assets include:
The following procedures and protocols apply to asset management activities:
An asset-tracking database shall be created to track assets. It shall minimally include purchase and device information, including:
Prior to deployment, IT Department staff shall enter the asset information in the asset tracking database. All assets maintained in the asset tracking database inventory shall have an assigned owner.
Applicable for all employees: Office and Remote Employees
Request ticket is created for all exiting employees
If an employee has been provided with additional equipment for testing, migration, business travel, or any other reasons and the employee has returned the equipment, it is the employee’s responsibility to open an IT Help Desk (Zendesk) ticket to track the return process and verify that the asset is not assigned to the employee after the application is closed.
Personal, financial, legal, research and development, strategic and commercial, email, voicemail, databases, personal and shared drives, backups / digital archives, and encryption keys.
Personal, financial, legal, research and development, strategic and commercial, FAXes, backup/archival materials, keys to safes/offices, fobs, and other media storage containers.
Knowledge, business relationships, trade secrets, licenses, patents, trademarks, accumulated experience and general know-how, corporate image/brand/commercial reputation/customer confidence, competitive advantage, ethics, and productivity.
In-house/custom-written systems, client software (including shared or single-user ‘End User Computing’ desktop applications), ’commercial off-the-shelf’ (COTS), ERP, MIS, databases, software utilities/tools.
DevOps Department
All production servers deployed on dedicated bare-metal hardware or deployed in hosted Virtualization platforms in all Resolver’s production environments shall be tracked in the DevOps database inventory.
Please refer to the “Resolver Corporate Applications Business Owners” document.
A semi-annual review of Asset Inventory shall be conducted for all types of assets (Network devices, Servers, Operating Systems, etc.).
An annual End of Life review shall be conducted for all types of assets (Network devices, Servers, Operating Systems, etc.).
Please refer to “A.11.2_Resolver_Disposal_and_Destruction_Policy”
This document is valid as of August 2022.
The owner of this document is an Information Security Analyst who must check and, if necessary, update the document at least once a year.
When evaluating the effectiveness and adequacy of this document, the following criteria need to be considered:
EFFECTIVE ON: September 2023
REVIEW CYCLE: Annual at least and as needed