Introduction
Vertic Pty Ltd has a wide variety of assets under its control, all of which have specific value and requirements for protection. In order to provide effective information security, it is important that assets are identified and responsibility for their protection is allocated correctly.
These responsibilities include ensuring assets are handled and used appropriately, returned or disposed of when no longer required, and that appropriate controls are placed upon them in line with their sensitivity and value to the organization.
This policy sets out the main rules for the management of assets and will be supported by more specific procedures which detail how these rules must be implemented.
This control applies to all systems, people and processes that constitute the organisation’s information systems, including board members, directors, employees, suppliers and other third parties who have access to Vertic Pty Ltd systems.
Asset management policy
Responsibility for assets
An inventory of assets associated with information and information processing facilities within Vertic Pty Ltd will be maintained. The types of assets to be identified and controlled will include:
Information
Cloud service customer data
Cloud service derived data
Hardware
Software
Physical
Virtual
Services
People
Other
These assets may be recorded in more than one location or system, for example hardware, virtual resources and software may be automatically tracked using configuration management tools. The asset inventory will provide input to the risk management process to ensure that risks to all Vertic Pty Ltd business-critical assets are considered.
Each asset recorded in the inventory will be assigned an agreed owner who will ensure that:
All assets under their ownership are included in the inventory
An appropriate classification is assigned to the assets
Access to the assets is controlled appropriately
Assets are handled correctly, including their disposal
The asset owner may be an individual, a role or an organisational unit. Day to day operation and maintenance of the asset may be delegated by the owner to a custodian. Rules for the secure use of the assets will be defined by the owner and communicated to those who have access to them.
Upon termination of employment or third-party contracts, all assets that have been issued to the terminated party must be returned to Vertic Pty Ltd, including the secure removal of organization data from personal equipment.
Information classification
All information within Vertic Pty Ltd will be subject to security classification. The information classification scheme requires information assets to be protectively marked as one of three classifications (excluding Public information which does not need to be marked). The way the information is handled, published, moved and stored will be dependent on this scheme.
The classes of information are:
Level 1: Protected
Level 2: Restricted
Level 3: Confidential
The decision regarding which classification an information asset should fall into will be based on the following main criteria:
Legal requirements that must be complied with
Value to the organization
Criticality to the organization
Sensitivity to unauthorised disclosure or modification
All classified information must be clearly labelled with the classification that has been assigned, so that employees, contractors and third parties are aware of the level of protection that must be applied, in accordance with [Organization Name] procedures.
Media handling
Removable media (for example SSD, DVD, memory stick) must not be used to store classified information.
Where there is a requirement for data transfer to third parties, a secure method will be arranged by the Vertic’s management. Employees and contractors must not save organization data to removable media as backups, to take data to a third-party site, or in order to take it home to work on using their own computer, without the prior approval of the CISO.