IT Asset Management Policy

1. Overview

Asset management is the process of receiving, tagging, documenting, and eventually disposing of equipment. Maintaining up-to-date inventory and asset controls is critical to ensure computer equipment locations, classification and status are well known.  Lost or stolen equipment often contains sensitive data. Proper asset management procedures and protocols provide documentation that aids in recovery, replacement, criminal, and insurance activities.

2. Purpose, scope, and users

This policy provides procedures and protocols supporting effective organizational asset management specifically focused on tangible and intangible information technology assets

This document is applied to the entire Information Security Management System (ISMS) scope and all personal data processing activities.

Users of this document are all Resolver’s employees.

3. Reference documents

  • ISO/IEC 27001:2013 standard, controls A.8.1.1, A.8.1.2
  • ISO/IEC 27701:2019 standard controls 6.5, sub-controls 6.5.1.1 – .6.5.1.4
  • Information Security Policy.
  • 11.2_Resolver_Disposal_and_Destruction_Policy.

4. Physical IT assets

4.1. Responsibility

Resolver’s corporate IT department is the main Corporate IT assets owner.

4.2. IT support infrastructure

Switches, routers, Wi-Fi access points, VoIP telephony devices, personnel identification, and authentication/access control devices (card-access systems, etc.) and other security devices (CCTV, etc.)

4.3. IT hardware

Computing and storage devices e.g. desktops, workstations, laptops, tablets, servers, communications devices (network nodes), printers/copiers/FAX machines and multifunction devices, and other IoT devices.

5. IT service assets

User authentication services and user administration processes, firewalls, proxy servers, network services, wireless services, anti-spam/virus/spyware, intrusion detection/prevention, teleworking, security, FTP, email/IM, etc., Web services, software maintenance, and support contracts.

6Asset Value

Assets that cost less than $500 shall not be tracked, including computer components such as smaller peripheral devices, hard drives, and portable hard drives, and other IoT devices.

However, assets that store data, regardless of cost, shall be tracked as part of a computing device or network-attached storage. These assets include:

  • Network Attached Storage (NAS), Storage Area Network (SAN), or other computer data storage.
  • USB Portable Hard drives.

7Asset Tracking Requirements

The following procedures and protocols apply to asset management activities:

An asset-tracking database shall be created to track assets. It shall minimally include purchase and device information, including:

  • Date of purchase
  • Make, model, and descriptor
  • OS type and version
  • Serial Number
  • Type of asset
  • Owner
  • Location
  • Department
  • Purchase Order number
  • Risk Level Category

Prior to deployment, IT Department staff shall enter the asset information in the asset tracking database.  All assets maintained in the asset tracking database inventory shall have an assigned owner.

8. Physical, IT Asset Return Process

Applicable for all employees: Office and Remote Employees

8.1 Exiting employees – off-boarding process.

Request ticket is created for all exiting employees

  • Local site IT team is notified to collect all company assets
  • Local site IT team identifies all assets assigned to exiting employees in the asset inventory
    • Laptop(s)
    • Tablet(s)
    • Monitor(s) (If Applicable)
    • Printer(s) (If Applicable)
    • Docking Station(s) (If Applicable)
    • Mobile Phone(s) (If Applicable)
  • Local site IT sends HR, local office representatives & exiting employees a list of assets assigned to be collected.
  • HR, local site support, or a local office representative collects the identified assets.
  • The task within the Asana project or Zendesk ticket is closed by the local site IT once the assets are retrieved.

8.2 Return assets outside of the off-boarding process

If an employee has been provided with additional equipment for testing, migration, business travel, or any other reasons and the employee has returned the equipment, it is the employee’s responsibility to open an IT Help Desk (Zendesk) ticket to track the return process and verify that the asset is not assigned to the employee after the application is closed.

9. Information Assets

9.1. Digital data

Personal, financial, legal, research and development, strategic and commercial, email, voicemail, databases, personal and shared drives, backups / digital archives, and encryption keys.

9.2. Tangible information assets

Personal, financial, legal, research and development, strategic and commercial, FAXes, backup/archival materials, keys to safes/offices, fobs, and other media storage containers.

9.3. Intangible information assets

Knowledge, business relationships, trade secrets, licenses, patents, trademarks, accumulated experience and general know-how, corporate image/brand/commercial reputation/customer confidence, competitive advantage, ethics, and productivity.

9.4. Application software

In-house/custom-written systems, client software (including shared or single-user ‘End User Computing’ desktop applications), ’commercial off-the-shelf’ (COTS), ERP, MIS, databases, software utilities/tools.

10. Hosted Resolver’s production environment’s assets

10.1. Responsibility

DevOps Department

10.2. Production Virtual server

All production servers deployed on dedicated bare-metal hardware or deployed in hosted Virtualization platforms in all Resolver’s production environments shall be tracked in the DevOps database inventory.

11. Assets Classification

Please refer to the “Resolver Corporate Applications Business Owners” document.

12. Asset Inventory Review

A semi-annual review of Asset Inventory shall be conducted for all types of assets (Network devices, Servers, Operating Systems, etc.).

13. End of Life (EOL) Review

An annual End of Life review shall be conducted for all types of assets (Network devices, Servers, Operating Systems, etc.).

14. Asset Disposal and Repurposing

Please refer to “A.11.2_Resolver_Disposal_and_Destruction_Policy”

15. Validity and document management

This document is valid as of August 2022.

The owner of this document is an Information Security Analyst who must check and, if necessary, update the document at least once a year.

When evaluating the effectiveness and adequacy of this document, the following criteria need to be considered:

  • The number of incidents arising from the unclear definition of the ISMS scope.

EFFECTIVE ON: September 2023

REVIEW CYCLE: Annual at least and as needed