Asset Control Policy

Version: 1.00Issue Date: 12/8/2014

This is an example Asset Control Policy. An Asset Control Policy is required to track organizational assets and ensure that assets are not stolen or moved without authorization. This Asset Control Policy increases organizational efficiency by preventing staff from needing to locate equipment. This Asset Control Policy also increases security by requiring authorization to move equipment which may include data.

1.0 Overview

All employees and personnel that have access to organizational computer systems must adhere to the IT asset control policy defined below in order to protect the security of the network, protect data integrity, and protect and control computer systems and organizational assets. The Asset Control Policy will not only enable organizational assets to be tracked concerning their location and who is using them but it will also protect any data being stored on those assets. This asset policy also covers disposal of assets.

IT assets should not be confused with nor tracked with other organizational assets such as furniture. One of the main reasons to track IT assets other than for property control and tracking is for computer security reasons. A special IT asset tracking policy will enable the organization to take measures to protect data and networking resources.

This Asset Control Policy will define what must be done when a piece of property is moved from one building to another or one location to another. This Asset Control Policy will provide for an asset tracking database to be kept updated so the location of all computer equipment is known. This Asset Control Policy will help network administrators protect the network since they will know what user and computer is at what station in the case of a worm infecting the network. This Asset Control Policy also covers the possibility that data on a computer being moved between secure facilities may be sensitive and must be encrypted during the move.

2.0 Purpose

This asset control policy is designed to protect the organizational resources on the network by establishing a policy and procedure for asset control. These policies will help prevent the loss of data or organizational assets and will reduce risk of losing data due to poor planning.

3.0 Scope

This Asset Control Policy applies to all members of the organization or anyone using organizationally owned or leased equipment whether they are a contractor, vendor, employee, business partner or any other third party. This Asset Control Policy applies to all software and information technology resources. It applies to situations when assets are moved or disposed of. This policy is effective as of the issue date and does not expire unless superceded by another policy.

4.0 Asset Tracking System

An asset tracking database will be created and kept up to date. The tool used for updating the database shall provide the ability to add new assets and record disposal of assets and archive entries for assets that were previously disposed of. The tool used for updating the asset tracking database should be easy to use.

The software tracking tool used for tracking assets should be able to log times when the database is audited and whether changes are made by an auditor. The tool should be able to log changes so it can be determined who changed entries. The software tracking tool should be able to support entry of both an asset owner and an asset custodian.

5.0 Assets Tracked

This section defines what IT assets should be tracked and to what extent they should be tracked.

5.1 IT Asset Types

This section categorized the types of assets subject to tracking.

  1. Desktop workstations
  2. Mobile devices - These systems should be put into the hands of a custodian that agrees to operate the system in compliance with policy. It is not necessary to track every instance when these devices are moved but theft or loss must be promptly reported to the supervisor and the security office. Sensitive data on these devices must be kept encrypted.
    • Laptop mobile computers
    • Handheld devices
    • Mobile memory devices
  3. Printers, Copiers, FAX machines, multifunction machines
  4. Scanners
  5. Servers
  6. Firewalls
  7. Routers
  8. Switches
  9. Memory devices, non mobile
  10. Software

5.2 Assets Tracked

Assets which cost less than $100 shall not be tracked specifically including computer components such as video cards or sound cards. However, licensed software and assets which store data regardless of cost shall be tracked. Assets that shall be tracked include:

  1. Hard Drives
  2. Temporary storage drives
  3. Tapes with data stored on them including system backup data.
  4. Although not specifically tracked, other storage devices including CD ROM disks and floppy disks are covered by this policy for disposal and secure storage purposes.

5.3 Small Devices

Mobile devices and small memory storage assets will not be tracked by location but by trustee. These assets include:

  1. Floppy disks
  2. CD ROM disks
  3. Memory sticks
  4. All mobile devices

If these types of devices are permitted for some employees, the trustee of the device must sign for receipt of these devices in their posession. All employees must also agree to handle memory sticks, floppy disks, and CD ROM disks in a responsible manner and follow these guidelines:

  1. Never place sensitive data on them without authorization. If sensitive data is placed on them, special permission must be obtained and the memory device must be kept in a secure area. The data on them must be encrypted according to the minimum standard set by the Encryption Policy.
  2. Never use these devices to bring executable programs from outside the network without authorization and without first scanning the program with an approved and updated anti-virus and malware scanner. Any program brought into the network should be on the IT department list of approved programs.
  3. If the device is lost or stolen, it must reported as soon as possible to the employee supervisor and the appropriate procedure must be followed.

The Memory Device Trustee agreement allows employees to sign for receipt of these devices and agree to handle these devices in accordance with the terms of this policy. This form must be submitted by all employees that will work with any organizational data when the employee begins working for the organization. It will also be submitted whan employee receives one or more memory sticks, temporary storage drives, or data backup drives.

6.0 Asset Tracking Requirements

  1. All assets must have a unique ID number. Either an internal tracking number will be assigned when the asset is acquired or the use of Manufacturer ID numbers must be specified in this policy.
  2. An asset tracking database shall be created to track assets. It will include all information on the Asset Transfer Checklist table and the date of the asset change.
  3. When an asset is acquired, an ID will be assigned for the asset and its information shall be entered in the asset tracking database.

7.0 Transfer Procedure

  1. Asset Acquisition - When the asset is acquired the owner of the asset and the custodian shall be established and entered into the database. Management shall establish a custodian of the database who must be informed when a new asset is acquired.
  2. Asset Transfer Checklist - When an asset type listed on the Asset Types list is transferred to a new location or trustee, the IT Asset Transfer Checklist must be filled out by the trustee (custodian) of the item and approved by an authorized representative of the organization. The trustee is the person whose care the item is in. If the item is a workstation, then the trustee is the most common user of the workstation. For other equipment, the trustee is the primary person responsible for maintenance or supervision of the equipment.
  3. Asset Disposal - When an asset is removed from service the Equipment and Media Disposal Policy must be followed.

The trustee must fill out the Asset Transfer Checklist form and indicate whether the asset is a new asset, moving to a new location, being transferred to a new trustee, or being disposed of. The following information must be filled in:

  1. Asset Type
  2. ID number
  3. Asset Name
  4. Asset manufacturer
  5. Vendor the asset was purchased through
  6. Contract number the asset was purchased through or created under.
  7. Support contract information including expiration date, cost, and contract number
  8. Vendor contact name, email address, phone number, address
  9. Manufacturer contact name, email address, phone number, address
  10. Asset version number such as software version.
  11. Date the asset was purchased
  12. Asset Owner
  13. Asset Owner email
  14. Asset Owner phone number
  15. Current (original) Location - should have been already current unless new asset.
  16. Designated Trustee
  17. Designated Trustee email
  18. Designated Trustee phone number
  19. New Location
  20. New Trustee
  21. Last date the asset was moved
  22. Locations of Sensitive Data
  23. Highest class of sensitivity of data stored or allowed on the asset

Once the trustee fills out and signs the Asset Transfer Checklist form an authorized representative must sign it.

  • Data entry - After the Asset Transfer Checklist is completed, it will be given to the asset tracking database manager. The asset tracking database manager will ensure that the information from the forms are entered into the asset tracking database within one week.
  • Checking the database - Managers who manage projects that affected equipment location should check preiodically to see if the assets that recently were moved were added to the database. The database should provide a recent move list which can be easily checked. Managers should check the database weekly to be sure assets moved within the last 2 or 3 weeks are included in the database.

    8.0 Asset Transfers

    This policy applies to any asset transfers including the following:

    1. Asset purchase
    2. Asset relocation
    3. Change of asset trustee including when an employee leaves or is replaced.
    4. Asset disposal

    In all these cases the asset transfer checklist must be completed.

    9.0 Software Tracking

    The custodian of software shall certify compliance with licensing to their management on an annual basis. At the discretion of management, the software may be stored in a central repository and managed by a librarian which may track licensing. Management will define whether a library custodian will store and track software and who is responsible for that function or whether individual software custodians will be responsible for this function. Software tracking shall be performed according to the Software Tracking Policy.

    10.0 Asset Disposal

    Asset disposal is a special case since the asset must have any sensitive data removed prior to disposal. Any data storage devices. The manager of the user of the asset must determine what the level of maximum sensitivity of data stored on the device is. Below is listed the action for the device based on data sensitivity according to the data assessment process.

    1. None (Unclassified) - No requirement to erase data but in the interest of prudence normally erase the data using any means such as reformatting or degaussing.
    2. Low (Sensitive) - Erase the data using any means such as reformatting or degaussing.
    3. Medium (Confidential) - The data must be erased using an approved technology to make sure it is not readable using special high technology techniques.
    4. High (Secret) - The data must be erased using an approved technology to make sure it is not readable using special high technology techniques. Approved technologies for erasing data are specified in a Media Data Removal Procedure document by asset type including:
      1. Floppy disk
      2. Memory stick
      3. CD ROM disk
      4. Storage tape
      5. Hard drive.
      6. RAM memory
      7. ROM memory or ROM memory devices.

    11.0 Media Use

    This policy defines the types of data that may be stored on removable media and whether that media may be removed from a physically secure facility and under what conditions it would be permitted. Removable media includes:

    1. Floppy disk
    2. Memory stick
    3. CD ROM disk
    4. Storage tape

    Below is listed the policy for the device based on the rated data sensitivity of data stored on the device according to the data assessment process.

    1. Unclassified - Data may be removed with approval of the first level manager and the permission is perpetual for the employee duration of employment unless revoked. The device may be sent to other offices using any public or private mail carrier.
    2. Sensitive - Data may only be removed from secure areas with the permission of a director level or higher level of management and approvals are good for one time only.
    3. Confidential - The data may only be removed from secure areas with permission of a Vice -president or higher level of management. There must be some security precautions documented for both the transport method and at the destination.
    4. Secret - The data may only be removed from secure areas with the permission of the President or higher level of management. There must be some security precautions documented for both the transport method and at the destination.
    5. Top secret - The data may never be removed from secure areas.

    12.0 Enforcement

    Since asset tracking is important for the operation of the organization, employees that do not adhere to this policy may be subject to disciplinary action up to and including denial of access, legal penalties, and/or dismissal. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.

    13.0 Additional Policies

    • Software Tracking Policy
    • Change Management Policy
    • Equipment and Media Disposal Policy

    14.0 Additional Requirements

    • Senior management must ensure that this policy is published and users agree to abide by the policy.
    • Auditors must periodically check to be sure this policy is being followed and the asset transfer procedure is effective.
    • Auditors will check the accuracy of the inventory database every six months.
    • Auditors shall check the number of software licenses recorded in the asset database against the number of licenses being used to be sure the organization is in compliance with software licensing requirements.
    • The asset transfer procedure must be kept up to date to reflect current business practices and needs.
    • A software storage procedure related to the change management policy must be developed. This will ensure that new software is inventoried as part of the purchase and implementation process and ensure changes to software ownership are legal and recorded.
    • A process for acquiring and establishing the owner and custodian of assets in compliance with the change management policy must be created. This process must be communicated to potential custodians and owners of assets. The process must provide for appointing owners based on their knowledge and experience in relation to systems, data and controls along with their business responsibility for the information on the asset. Owners and custodians of assets must agree with IT development, change management, security, and operations functional areas and processes.
    • An asset tracking database custodian must be assigned by management. The database custodian will not be responsible for the physical security of the assets that are tracked in the database.
    • Appropriate procedures must be created to be followed when a mobile device or memory storage device is lost or stolen. Consideration for the type of data on the device must be given, whether that data was encrypted, and how it was encrypted.

    Approval

    Approved by:__________________________ Signature:_____________________ Date:_______________