Asset Management Policy
Purpose
The purpose of the SQETCH Studio Asset Management Policy is to establish the rules for the control of hardware, software, applications, and information used by SQETCH Studio.
Audience
The SQETCH Studio Asset Management Policy applies to individuals who are responsible for the use, purchase, implementation, and/or maintenance of SQETCH Studio Information Resources
Contents
Policy
Hardware, Software, Applications, and Data
All hardware, software and applications must be approved and purchased by SQETCH Studio IT.
Installation of new hardware or software, or modifications made to existing hardware or software must follow approved SQETCH Studio procedures and change control processes.
All purchases must follow the defined SQETCH Studio (Technology) Purchasing Standard.
Software used by SQETCH Studio employees, contractors and/or other approved third parties working on behalf of SQETCH Studio, must be properly licensed.
Software installed on SQETCH Studio computing equipment, outside of that noted in the SQETCH Studio Standard Software List, must be approved by IT Management and installed by SQETCH Studio IT personnel.
Only authorized cloud computing applications may be used for sharing, storing, and transferring confidential or internal information.
The use of cloud computing applications must be done in compliance with all laws and regulations concerning the information involved, e.g. personally identifiable information (PII), protected health information (PHI), corporate financial data, etc.
Two-factor authentication is required for external cloud computing applications with access to any confidential information for which SQETCH Studio has a custodial responsibility.
Contracts with cloud computing applications providers must address data retention, destruction, data ownership and data custodian rights.
Hardware, software, and application inventories must be maintained continually and reconciled no less than annually.
A general inventory of information (data) must be mapped and maintained on an ongoing basis.
All SQETCH Studio assets must be formally classified with ownership assigned.
Maintenance and repair of organizational assets must be performed and logged in a timely manner and managed by SQETCH Studio IT Management.
SQETCH Studio assets exceeding a set value, as determined by management, are not permitted to be removed from SQETCH Studio's physical premises without management approval.
All SQETCH Studio physical assets exceeding a set value, as determined by management, must contain asset tags or a similar means of identifying the equipment as being owned by SQETCH Studio.
If a SQETCH Studio asset is being taken to a High-Risk location, as defined by the FBI and Office of Foreign Asset Control, it must be inspected and approved by IT before being taken offsite and before reconnecting to the SQETCH Studio network.
Confidential information must be transported either by an SQETCH Studio employee or a courier approved by IT Management.
Upon termination of employment, contract, or agreement, all SQETCH Studio assets must be returned to SQETCH Studio IT Management.
Mobile Devices
SQETCH Studio does not allow personally owned mobile devices to connect to the SQETCH Studio corporate internal network.
OR
The use of a personally owned mobile devices to connect to the SQETCH Studio network is a privilege granted to employees only upon formal approval of IT Management.
Mobile devices used to connect to the SQETCH Studio network are required to use the approved Mobile Device Management (MDM) solution.
Mobile devices that access SQETCH Studio email must have a PIN or other authentication mechanism enabled.
Confidential data should only be stored on devices that are encrypted in compliance with the SQETCH Studio Encryption Standard.
All mobile devices should maintain up-to-date versions of all software and applications.
Media Destruction & Re-Use
Media that may contain confidential or internal information must be adequately obscured, erased, destroyed, or otherwise rendered unusable prior to disposal or reuse.
Media reuse and destruction practices must be conducted in compliance with SQETCH Studio’s Media Reuse and Destruction Standards.
All decommissioned media must be stored in a secure area prior to destruction.
Media reuse and destruction practices must be tracked and documented.
All information must be destroyed when no longer needed, included encrypted media.
Backup
The frequency and extent of backups must be in accordance with the importance of the information and the acceptable risk as determined by the information owner.
The SQETCH Studio backup and recovery process for each system must be documented and periodically reviewed according to the defined review schedule.
The vendor(s) providing offsite backup storage for SQETCH Studio must be formally approved to handle the highest classification level of information stored.
Physical access controls implemented at offsite backup storage locations must meet or exceed the physical access controls of the source systems. Additionally, backup media must be protected in accordance with the highest SQETCH Studio sensitivity level of information stored.
A process must be implemented to verify the success of the SQETCH Studio electronic information backup.
Backups must be periodically tested to ensure that they are recoverable in accordance with the backup standard.
Multiple copies of valuable data should be stored on separate media to further reduce the risk of data damage or loss.
Procedures between SQETCH Studio and the offsite backup storage vendor(s) must be reviewed at least annually.
Backups containing confidential information must be encrypted in accordance with the Encryption Standard
Signature cards held by the offsite backup storage vendor(s) for access to SQETCH Studio backup media must be reviewed annually or when an authorized individual leaves SQETCH Studio.
Backup tapes must have at a minimum the following identifying criteria that can be readily identified by labels and/or a bar-coding system:
System name
Creation Date
Sensitivity Classification
SQETCH Studio Contact Information
Removable Media
The use of removable media for storage of SQETCH Studio Information must be supported by a reasonable business case.
All removable media use must be approved by SQETCH Studio IT prior to use.
Personally owned removable media use is not permitted for storage of SQETCH Studio information.
Users are not permitted to connect removable media from an unknown origin, without prior approval from SQETCH Studio IT.
Confidential and internal SQETCH Studio information should not be stored on removable media without the use of encryption.
The loss or theft of a removable media device that may have contained any SQETCH Studio information must be reported to the SQETCH Studio IT.
SQETCH Studio will maintain inventory logs of all media and conduct media inventories at least annually.
The transfer of information to removable media will be monitored.
References
· ISO 27002: 6, 8, 11, 12, 16, 18
· NIST CSF: ID.AM, PR.IP, PR.DS, PR.PT, DE.CM
· Change Control Policy
· Encryption Policy
· Encryption Standard
· Information Classification and Management Policy
· Media Reuse and Destruction Standard
· Technology Purchasing Standard
Enforcement
Personnel found to have violated this policy may be subject to disciplinary action, up to and including termination of employment, and related civil or criminal penalties.
Any vendor, consultant, or contractor found to have violated this policy may be subject to sanctions up to and including removal of access rights, termination of contract(s), and related civil or criminal penalties.
Last Update: January 2022