Sample Asset Management Policy:
Document History
Version | Date | Revised By | Description |
<Version number> | <Current date> | <Owners's name> | This version replaces any prior version. |
Document Certification
Description | Date Parameters |
Designated document recertification cycle in days: | 30 - 90 - 180 - 365 <Select cycle> |
Next document recertification date: | <Future date> |
Sample Asset Management Policy
As stated in the Company Sample Information Security Program Charter, the Company will follow a risk management approach to develop and implement Information Security policies, standards, guidelines, and procedures. The Information Security Program will protect information assets by establishing policies to identify, classify, define protection and management objectives, and define acceptable use of Company information assets.
This Asset Management Policy defines Company objectives for establishing specific standards for the management of the networks, systems, and applications that store, process and transmit Company information assets. Company information assets are defined in the Sample Asset Identification and Classification Policy.
I. Scope
All employees, contractors, part-time and temporary workers, service providers, and those employed by others to perform work on Company premises, at hosted or outsourced sites supporting the Company, or who have been granted access to Company information or systems, are covered by this policy and must comply with associated standards and guidelines.
II. Objectives
The Company systems, including hardware and software, must be managed in accordance with the information asset protection objectives established in the Sample Asset Protection Policy throughout the life cycle from acquisition to disposal. Specific instructions and requirements for life cycle management of Company hardware and software are provided in the Sample Life Cycle Management Standard.
The Company will establish and maintain Sample Asset Protection Standards in accordance with the information asset protection objectives established in the Asset Protection Policy for each system represented in the Company production environment. Specific instructions and requirements for configuration management are provided in the Sample Configuration Management Standard.
All systems, networks, and applications used in the Company production environment and in virtual premises, such as hosting sites, must follow the documented change control process and procedures to ensure that only authorized updates or changes are made. Specific instructions and requirements for change control are provided in the Sample Change Control Standard.
All production systems and applications developed by the Company or on behalf of the Company must adhere to the documented process of analyzing, designing, developing, testing, and enhancing systems to ensure the integration of appropriate security controls. Specific instructions and requirements for systems development are provided in the Sample System Development Life Cycle Standard.
The Company will establish and maintain the Sample Legal Hold Standards in coordination with the <Company's> General Counsel, Legal Department, or designated third party Legal Counsel.
III. Responsibilities
The Chief Information Officer (CIO) is the approval authority for the Asset Management Policy.
The Chief Information Security Officer (CISO) is responsible for the development, implementation, and maintenance of the Asset Management Policy and associated standards and guidelines.
Legal counsel is responsible for ensuring that contracts, licenses, and service agreements enforce the Asset Management Policy and associated standards and guidelines.
Company management is accountable for ensuring that the Asset Management Policy and associated standards and guidelines are properly communicated and understood within their respective organizational units. Company management is also responsible for defining, approving and implementing procedures in its organizational units and ensuring their consistency with the Asset Management Policy and associated standards and guidelines.
All individuals, groups, or organizations identified in the scope of this policy are responsible for familiarizing themselves and complying with the Asset Management Policy and associated standards and guidelines.
IV. Enforcement and Exception Handling
Failure to comply with the Asset Management Policy and associated standards, guidelines, and procedures can result in disciplinary actions up to and including termination of employment for employees or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.
Requests for exceptions to the Asset Management Policy should be submitted to <Title>. Exceptions shall be permitted only on receipt of written approval from <Title>.
V. Review and Revision
The Asset Management Policy will be reviewed and revised in accordance with the Sample Information Security Program Charter.
Approved: _______________________________________________________
- Signature
- Signature
- <Insert Name>
- <Insert Name>
- Chief Information Officer
- Chief Information Officer