Overview

Asset management is the process of receiving, tagging, documenting, and eventually disposing of equipment. It is critically important to maintain up to date inventory and asset controls to ensure computer equipment locations and dispositions are well known. Lost or stolen equipment often contains sensitive data. Proper asset management procedures and protocols are a key part of any information security program.

Purpose

This policy provides procedures and protocols supporting effective organizational asset management specifically focused on electronic devices that may be used to store customer data (e.g. key assets that impact information security).

Scope

Applies to all staff.

Asset Tracking

An asset-tracking database shall be created to track key assets. It shall minimally include purchase and device information including:

  • Date of purchase
  • Make and model
  • Serial Number
  • Location
  • Type of asset
  • Owner
  • Disposition
  • Operating System

Asset Disposal AND Re-purposing

Procedures governing asset management shall be established for secure disposal or re-purposing of equipment and resources prior to assignment, transfer, transport, or surplus. When disposing of any asset, sensitive data must be removed prior to disposal. IT support staff shall determine what type of data destruction protocol should be used for erasure. Minimally, data shall be removed using low level formatting.

Audit

IT staff shall perform a monthly audit on key assets. Evidence of said audit shall be key on file.

Enforcement

Staff members found in policy violation may be subject to disciplinary action, up to and including termination.

References

Revision 1.0.0 - last updated December 16, 2019