Asset management

Objective • Asset management should achieve and maintain appropriate protection of organizational assets, to ensure continuity of operations and security of information.

Inventory of assets • All significant information assets should be clearly identified and accounted for in an inventory listing, and have assigned owners (controllers, stewards) who are responsible for their appropriate protection.  This could include:

  • core attributes for each asset, including make/model/format, creation/manufacture date and any other information necessary to specify type;
  • one or more identifiers for the asset, at least one of which should be unique itself or unique in combination with other attributes (e.g., serial number, asset number, service tag number, part number, release number, stock-keeping unit, universal product code);
  • additional attributes relevant to categorizing the asset (e.g., model or release year, size or form factor, color);
  • assigned owner (controller, steward);
  • logical or physical location, with a range-classification of physical locations if portable;
  • status and location of backup devices or backup information (if appropriate);
  • status and location of license information (if appropriate);
  • business value, security classification and level of protection;
  • acquisition cost, current depreciated value, purchase order or work order for acquisition, or other relevant accounting attributes; and
  • any additional data on the asset necessary to allow recovery from a disaster or otherwise assure continuity of operations.

Types of assets • Asset types managed within one or more “inventories” may include, depending on organizational requirements:

  • hardware assets, including computer and communications equipment, fixed location and removable storage media;
  • software assets, including application and system software, development tools and utilities;
  • data assets in databases or data files;
  • contracts or agreements, systems documentation, user manuals, training materials, operational or support procedures associated with these assets;
  • supporting services, including general utilities like HVAC, lighting and electric power supply;
  • support staffing, including qualifications and experience; and
  • intangibles, such as reputation and image of the organization.

Ownership (control) of assets • All assets should be “owned” (controlled) by a designated person or part of the organization, who/which has clearly-specified responsibilities for the asset’s management.  This could include:

  • the name of the owner, with periodic review of appropriateness of assigned ownership;
  • owner responsibilities, including duties to ensure accurate data about the asset and appropriate classification of any information on it; and
  • definition and periodic review of access restrictions and other controls associated with the asset.

Classification of assets • Information assets should be classified in terms of value and criticality to the organization, sensitivity and legal requirements.  This could include:

  • assigning responsibility for the asset owner or a central organizational authority to make this classification;
  • periodic review to ensure that classifications appropriately reflect business needs, legal-regulatory-certificatory requirements and balance confidentiality-integrity-availability concerns against other organizational goals.

Labeling and handling • An appropriate set of procedures for asset labeling and handling should be developed by the organization, and implemented in accordance with the classification scheme(s) adopted by the organization.  This could include:

  • responsibility of the asset owner to assure/confirm classification and labeling, and subsequent handling consistent with that label;
  • classifications that cover all information processing facilities and information in all forms and media;
  • procedures for establishing ownership and chain of custody; and
  • procedures for logging and reporting security incidents associated with the asset.

Acceptable use of assets • Rules for the acceptable use of information assets and assets associated with information processing facilities should be identified, documented and implemented.  This could include rules and guidelines for:

  • general use of the organization’s resources, systems and devices;
  • use of particular systems or services (e.g., email,  Internet);
  • mobile devices;
  • non-mobile devices used off-site; and
  • asset users’ awareness of these rules and guidelines, including an appropriate educational program. 

SOURCE: ISO-27001/27002:2005 sects. 7.1 – 7.2