Asset Management Policy v1.5 PDF

Summary

This document is an asset management policy for Bizimply. It provides guidance on the acquisition, use, maintenance, and disposal of assets owned by the company. It covers company-owned devices, leased devices, and company-provided systems, regardless of geographical location. The policy outlines procedures for handling assets, including compliance and communication.

Full Transcript

Asset Management Policy v1.5
Tags ISO27001

Last edit time @January 14, 2025 9:55 AM

Last edited by Peter Baker

Security Label Level 2 - Confidential Use

Document History
Version Date Author Summary of changes

1.0 Nov 22nd 2022 Adam Morrissey Completed version 1.0

1.1 Feb 28th 2023 Adam Morrissey Revised version. Updated to 1.1

Revised version. Updated to
1.2 Apr 17th 2023 Adam Morrissey
1.2

Revised version. Updated to
1.3 Sep 14th 2023 Adam Morrissey
1.3

Reviewed & Revised Version.
Updated Compliance for
Relevant Handbooks. Section
2.3 change MDM to Intune.
1.4 Nov 22nd 2024 Peter Baker
Section 2.6.1 Change to
Ireland/UK Device Manager.
Acknowledgement Removed
Updated to Version 1.4

Name Position

Prepared By Adam Morrissey Information Security Manager

Approved By Conor Shaw CEO

Purpose

Asset Management Policy v1.5 1
 The purpose of this Asset Management Policy is to provide guidance on the
acquisition, use, maintenance, and disposal of assets owned by Bizimply. For the
purposes of this document "assets" are defined as any property or equipment
owned or leased by Bizimply

Scope
This policy covers all company-owned devices alongside data stored within. This
can also include any devices that may be leased and/or company-provided
systems and media regardless of geographical location.

Audience
This policy applies to employees and contractors who must adhere to this Asset
Management Policy while performing work-related activities as part of their day-
to-day duties. Asset management is required to aid in the upkeep and use of
hardware and software to ensure any information data, internal systems and
networks remain secure and are only accessed by those authorised to do so. This
applies at all times to all staff and should be adhered to whenever accessing
required Bizimply information regardless of format or device.

Communication
This Asset Management policy shall be communicated to relevant employees and
contractors as part of their onboarding process and subsequently, if any changes
are made to this policy. All employees, contractors and third parties will be given a
copy of this document as part of this policy and will be re-issued if any periodic
updates occur.

Compliance
Where an employee, contractor or third party performs an activity or activities
which would breach this Asset Management policy, they shall be subject to the
disciplinary process as documented within the relevant Employee Handbook or
applicable contract.

Asset Management Policy v1.5 2
 Improvement
Management is committed to the continual improvement of our Asset
Management Policy, and shall review this document on an annual basis, or
whenever an independent review of our organisation's ISMS reveals a non-
conformance or opportunity for improvement. The Management Review shall
determine if this policy continues to meet the requirements of our organisation
and is committed to the security of our information and has developed and
approved this information security policy in line with the requirements of the ISO
27001:2013 standard for asset management.

Management also endeavours to plan our business operations so that our
information and information assets are not misused, either intentionally or
unintentionally. This is done by identifying and assigning separate duties
throughout our critical business activities to guard against misuses such as fraud,
or errors in data processing activities, etc. Where a user identifies potential
conflicts or misuse of information or information assets due to improper planning
and assignment of duties, users should raise their concern immediately with their
line manager, or the ISMS Manager.

1. Inventory Of Assets
Any assets that are associated with information or information processing need
to be identified and managed over the lifecycle of the device. A register or
inventory of assets is maintained to manage and control devices to ensure
standards are kept for device use and security.

1.1 Ownership of assets
All information assets must have an owner, this includes devices currently
not within circulation between staff and contractors. Asset ownership can
be different to legal ownership. This can be done at an individual level,
department or other entity. The asset owner is individually responsible for
the effective management of their device(s) or asset(s) upon acquisition or
creation date. The management can be delegated and ownership changed
during the life cycle once any change has been documented effectively.

Asset Management Policy v1.5 3
 1.2 Acceptable use of asset
The acceptable use of information and/or assets is extremely important.
The rules that govern the acceptable use of assets can be found within the
Acceptable Use Policy. The rules for acceptable use must take into
consideration employees, temporary staff, contractors or third parties who
have access to information assets. It is integral that all relevant parties have
access to documented acceptable use rules and are reinforced during
onboarding, regular training, information security awareness and/or any
compliance-related activities.

1.3 Return of assets
All employees, contractors and third parties have an expected obligation to
return any organisational and information assets upon termination of their
employment, contract or agreement.

1.4 Handling of Assets
The procedures for handling assets need to be developed constantly and
implemented in accordance with the information classification matrix. The
following should be considered:

Access restrictions depend on the level of classification

Maintenance of a formal record of the authorised recipients of assets.

Storage of IT assets in accordance with manufacturer's specifications
and marking of media for authorised parties.

1.5 Management of removable media
Procedures must be put in place for the management of removable media in
accordance with the information classification matrix. General use of
removable media is a risk therefore a risk assessment is necessary and it
may also be necessary to carry out use-specific risk assessments in the
future. Where possible, administrators shall implement controls to block the
use of removable media on all endpoints. Endpoints shall include company
laptops, computers, mobile phones, networking devices, and servers,
whether physical or virtual.

Asset Management Policy v1.5 4
 Removable media should only be authorised if there is a justified business
reason for that specific method of data transport. If there is a justified
business reason, this must be documented within the Risk Register and
when no longer needed, the contents of any removable media should be
unrecoverable and destroyed or erased.
All media should be stored in a safe, secure environment, in accordance
with manufacturers’ specifications and additional techniques like
cryptography considered where appropriate (i.e. as part of the risk
assessment). Where necessary and practical, authorisation should be
required for media removed from the organisation, and a record kept to
maintain an audit trail.

See section 3.4 Controlling of removable media of the Information Systems
Security Policy for further information.
1.6 Disposal of media
When no longer required media must be disposed of securely by following
the documented procedures. These procedures minimise the risk of
confidential information leakage to unauthorised parties. The procedures
should be proportional to the sensitivity of the information being disposed
of. Things that should be considered include whether or not the media
contains confidential information and have procedures in place which help
identify the items which might require secure disposal.

1.7 Physical media transfer
Any media that contains information data needs to be protected at all times
against unauthorised access, misuse or corruption during transportation
(unless publicly available). The following should be considered to protect
media during transport:

Reliable transport and a list of authorised couriers are to be agreed
upon.

Packaging should be sufficient to protect the contents from physical
damage.

Logs should be kept, identifying the content of media stored and the
protection applied.

Asset Management Policy v1.5 5
 It should be noted that where 'Confidential' information on media is not
encrypted, further physical protection should be considered.

2. Asset management policy
The following are classes of assets which are subject to being inventoried and
tracked:

Laptop/Mobile computers

Monitor

Photography/Videography equipment

Microphone/sound equipment

Tablets

Printers, copiers, fax machines & multifunction printing devices

Mobile phones

Scanners

Servers

Networking appliances (firewalls, routers, switches, UPS (uninterruptible
power switches), endpoint network hardware & storage

Private branch exchange (PBX), Voice over internet protocol(VOIP)
telephony devices

Internet protocol (IP) enabled video and security devices

Any other physical devices issued to staff

2.1 Asset Acquisition
All requests for the acquisition of new assets must be approved by the
appropriate department or manager before purchase. The acquisition
process should take into account the asset's security, usefulness, cost, and
potential impact on the company's operations. All assets must be tracked
and recorded in an inventory system.

2.2 Exclusions from tracking

Asset Management Policy v1.5 6
 Hardware items which have a value of under €50 or equivalent (in other
currencies) are not tracked. These hardware item include but are not limited
to:

Keyboards

Mice

Headset

Peripheral cables (HDMI, USB etc..)
2.3 Asset tracking requirements
The following procedures apply to assets which are subject to management
activities to which a device(s) are tracked:

Information processing assets (laptops, phones, tablets etc.) are
inventoried within an MDM (Mobile device management) service
dependent on the operating system (macOS, Windows etc.).

Currently, these services include Intune for macOS & iOS-based
devices and windows or android based devices.

Non-computing based assets (Monitors, printers, various other electronic
devices) may be inventoried within a private database to which access is
restricted.

The following device information can be recorded where available:

Make, model or other descriptors

Serial number

Location

Asset type

Assigned Employee

Location

2.4 Asset maintenance and upkeep
All devices must have their software kept up to date to ensure compliance
with security standards. Any exception to this must be written to and

Asset Management Policy v1.5 7
 approved by the information security team. Assets must be properly
maintained to ensure they are in good working order and free from defects
that could pose a safety hazard. Employees and contractors should report
any problems with assets to their manager and information security
manager as soon as possible.
2.5 Asset Security
All assets owned by Bizimply must be secured against theft, damage, or
misuse. Access to assets should be restricted to authorised personnel only.
Employees and contractors must report any suspicious activity related to
assets to their department manager and information security manager as
soon as possible.

2.5 Asset repairs
Overtime, devices are susceptible to wear and tear from daily use so, on
occasion, devices must be serviced and/or repaired if damaged or not
functioning as intended. If a device is damaged or functioning incorrectly it
is an individual's responsibility to contact the Information Security Manager
for an initial inspection to determine if a service or repair is required.

2.6 Asset Disposal and Repurposing
When disposing of any asset, sensitive information or data must be
removed before disposal. Minimally, data shall be removed using formatting
techniques depending on the device and the software it's running. For
media storing confidential data that is not being repurposed, the disk shall
be physically destroyed before disposal.

2.6.1 Device repurposing
When an employee or contractor leaves the company, their laptop and
other company-owned devices will be repurposed and be prepared for
use by either another staff member or contractor depending on physical
location. When a laptop has been returned as part of the offboarding
process, the following shall occur to firstly prepare the device for re-use
and to ensure any sensitive data that was previously on the laptop is
securely removed:

Asset Management Policy v1.5 8
 The laptop will be given to authorised individuals to carry out the
reformatting of the device

For Ireland and the UK, this is Peter Baker (Technical Support
Manager)

For Poland, this would be Bogumil Mika (Development
Operations)

In Egypt, this would be Nourhan Morsy (Senior Lead QA)

When a laptop or other device (tablet, phone etc.) is received by the
authorised individual, the device is then reset to factory settings and
the operating system is reinstalled up to the point where it is ready to
be used by a new user.

2.6.2 Device Destruction
When a device has reached the end of its life it will be sent for
destruction by an authorised supplier who will provide certificates of
destruction upon successful destruction of the device. In preparation
for this, the following steps will be carried out to ensure that sensitive
information has been removed and is not accessible by the
authorised supplier:

Laptops:

Laptops will be "wiped" (reset to factory settings) a minimum
of 3 times.

Upon the last wiping of the device, the disk image shall not be
reinstalled to ensure that a user cannot gain access to the
device at all.

Once the wiping process has been completed, the device's
serial number shall be documented as to allow the asset
inventory system to be updated when the device has been
successfully destroyed.

Upon confirmation of the destruction and receiving the
certificate of destruction, the asset register and asset

Asset Management Policy v1.5 9
 inventory systems shall be updated to reflect that the device
has been destroyed and is no longer in rotation for use.

Other devices (Phones, tablets etc.)

Devices such as phones, tablets etc. can't have their
operating system or image permanently removed. So for
these types of devices, they will be reset to factory settings a
minimum of 3 times before being sent for destruction.

Once the factory reset process has been completed, the
device's serial number shall be documented as to allow the
asset inventory system to be updated when the device has
been successfully destroyed.

Upon confirmation of the destruction and receiving the
certificate of destruction, the asset register and asset
inventory systems shall be updated to reflect that the device
has been destroyed and is no longer in rotation for use.

2.6.3 Device Audit
When devices have successfully been destroyed and the
certificate of destruction has been received an audit report shall
be carried out following Internal Audit Policy to audit the process
has been successfully carried out and can be presented to the
management team for review.

3. Policy exclusions
If there are any exceptions to this policy, they must first be risk reviewed as per
the Risk Management policy and documented as a risk within the Risk Register.

Asset Management Policy v1.5 10