Asset Management Procedure

H i sto r y   Log

Ve rs i on

Da t e

Author
1.1
1 st  November 2018
Information Dynamics
1.2
29 th  December 2019
Saravanan & Sureshkutty
1.3
24 th  December 2020
Saravanan & Sureshkutty
















  Asset Management Procedure      
Internal 2 of 5
1. Scope
  The scope will be applicable to all activities under scope statement of Information Dynamics.
ISO 27001:2013 Domain Reference: A.8: Management

ISO 27001:2013 Reference

A.8.1.1

Inventory Assets
A.8.1.2
Ownership of assets

A.8.1.3

Acceptable of assets
A.8.1.4
Return of assets

A.8.2.2

of Information
A.8.3.2
Disposal of Media


















2. Inputs
Asset Register
Asset List
3. Definitions
Asset Owner: The owner of an asset
Custodian: Person or responsible for the maintenance of asset
Labeling: Embossing the asset with identifications based on their Confidentiality, Integrity  and Availability aspect.
4. Asset Management Procedure
4.1.   Inventory of Assets
The   identification   of   assets   is   done   on   the   basis   of   labeling   on   assets   by   the  respective owners.
4.2. Asset Labeling
The Asset List contains information, data and software assets. 
Assets   are   labeled   according   to   their   Confidentiality,   Integrity   and   Availability  Unclassified information is classified as Restricted by default. 
Hardware,   physical   assets   including   office   equipments   are   labeled   by  Administration department. 
  ID has identified seven Information Asset classes. These are:
People
Information
  Asset Management Procedure      
Internal 3 of 5
Equipment
Tools
Environment
Services
Tools
The   asset   register   contains   the   following   information   about   the   asset,   for   easy  recovery:
Information class
Type asset;
Location;
Asset Owner Custodian
Department
The   register   is   updated   as   and   when   a   new   asset   is   added   to   the   Asset   list   maintained   by  the departments. 
4.3.  Ownership of Assets
The   assets   are   allocated   to   varied   individual/group/department   and   the  responsibility of the asset lies with its owner. 
The   Asset   Owner   is   responsible   for   the   overall   maintenance   of   the   asset   along  with the custodian. 
The labeling of the asset is done by the owner.
4.4.  Operation of Assets
The   acceptable   use   of   information   assets   &   assets   associated   with   information  processing facilities is as per the End user guideline.
4.5.  Maintenance Assets
The   Asset   Register   identifies   different   custodian   for   the   assets.   The   responsibility  of   the   asset   lies   with   the   custodian.   However   the   general   maintenance   is   also  responsibility of the Asset Owner. 
The   maintenance   of   the   asset   is   done   by   the   custodian   as   per   the   IT   Infrastructure  Guideline   and   Administration   Guideline,   where   IT   Infrastructure   Administration  Administration are custodians respectively.
Any   incident   causing   a   threat   to   the   asset   is   reported   by   the   Asset   Owner   as   per  the Incident Procedure.
4.6. Disposal of Assets
Retention time of assets is defined by the respective asset owner.
  Asset Management Procedure      
Internal 4 of 5
The   Information   and   Data   asset   which   includes   hard   copies   is   shredded   before  disposal   so   as   to   avoid   any   leakage   of   information   outside   ID.   Only   confidential  information contained in hard copies is shredded.
The   hardware   devices   before   disposal   are   devoid   of   any   confidential   or   restricted  information per the User Guideline.
Asset disposal process shall follow the below steps:
Step1: All assets that needs to be disposed shall be the information asset  owner. The asset shall be disposed based on the type of asset. 
Step 2: copy assets shall be shredded whenever there is a requirement.  Also this activity will be done by collating hard copy and shredding the  same on one cycle.
Step 3: Hard disks shall be securely disposed through high level formatting, degaussing  techniques or physically damaging the devices
Step 4: Optical devices like CD/DVD shall be physical damaged.
Step 5: The asset disposal list be verified with the actual assets that have been  disposed. same shall signed off by asset owner.
5. Associated Documentation
Asset Disposal list Template
Disposal form
6. Review
The asset is updated as and when a new asset procured or developed by ID. 
The   Asset   Register   and   the   Asset   Lists   is   audited   at   the   time   of   audits   as   per   the  Security Audit Procedure.
7. Outputs
Asset Register
Information Asset list
Inventory list
8. KPIs

KPIs

Frequency

Objective

Source

Target
Review of  Asset Sheet
Quarterly
Ensure information in the asset sheet  matches the assets maintained by  the department
Information  Asset sheet 
100%  Compliant













  Asset Procedure      
Internal 5 of 5