Sample Asset Management Policy:: Difference between revisions

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search
No edit summary
No edit summary
Line 1: Line 1:
==Document History==
==Sample Asset Management Standard==
<br>
The Asset Management Standard defines Company objectives for establishing specific standards for the management of the networks, systems, and applications that store, process and transmit Company information assets. Company information assets are defined in the [[Sample Asset Identification and Classification Standard:|'''Sample Asset Identification and Classification Standard''']].
{| id="table1" width="100%" border="1"
 
| bgcolor="#C0C0C0" | '''Version'''
==Objectives==
| bgcolor="#C0C0C0" | '''Date'''
The Company systems, including hardware and software, must be managed in accordance with the information asset protection objectives established in the Asset Protection Standard throughout the life cycle from acquisition to disposal. Specific instructions and requirements for life cycle management of Company hardware and software are provided in the System Development Life Cycle Standard.<br>
| bgcolor="#C0C0C0" | '''Revised By'''
| bgcolor="#C0C0C0" | '''Description'''
|-
| '''<Version number>'''
| '''<Current date>'''
| '''<Owners's name>'''
| This version replaces any prior version.
|}
<br>
==Document Certification==
<br>
<br>
{| id="table1" width="100%" border="1"
The Company will establish and maintain Asset Protection Standards in accordance with the information asset protection objectives established in the Asset Protection Standard for each system represented in the Company production environment. Specific instructions and requirements for configuration management are provided in the Configuration Management Standard.<br>
| bgcolor="#C0C0C0" | '''Description'''
| bgcolor="#C0C0C0" | '''Date Parameters'''
|-
| '''Designated document recertification cycle in days:'''
| 30 - 90 - 180 - '''365''' '''<Select cycle>'''
|-
| '''Next document recertification date:'''
| '''<Future date>'''
|}
<br>
<br>
=='''Sample Asset Management Policy'''==
All systems, networks, and applications used in the Company production environment and in virtual premises, such as hosting sites, must follow the documented change control process and procedures to ensure that only authorized updates or changes are made. Specific instructions and requirements for change control are provided in the Change Control Certification Process Manual Standard.<br>
<br>
<br>
As stated in the Company [[Sample Information Security Program Charter:|'''Sample Information Security Program Charter''']], the Company will follow a risk management approach to develop and implement Information Security policies, standards, guidelines, and procedures. The Information Security Program will protect information assets by establishing policies to identify, classify, define protection and management objectives, and define acceptable use of Company information assets.<br>
All production systems and applications developed by the Company or on behalf of the Company must adhere to the documented process of analyzing, designing, developing, testing, and enhancing systems to ensure the integration of appropriate security controls. Specific instructions and requirements for systems development are provided in the System Development Life Cycle Standard.<br>
<br>
<br>
This Asset Management Policy defines Company objectives for establishing specific standards for the management of the networks, systems, and applications that store, process and transmit Company information assets. Company information assets are defined in the [[Sample Asset Identification and Classification Policy:|'''Sample Asset Identification and Classification Policy''']].<br>
==Document Examples==
<br>
Use these samples as a guide for your policy development. Fully customizable versions are available from [http://policy-machine.com The Policy Machine].<br>
=='''I. Scope'''==
<br>
All employees, contractors, part-time and temporary workers, service providers, and those employed by others to perform work on Company premises, at hosted or outsourced sites supporting the Company, or who have been granted access to Company information or systems, are covered by this policy and must comply with associated standards and guidelines.<br>
<br>
=='''II. Objectives'''==
<br>
The Company systems, including hardware and software, must be managed in accordance with the information asset protection objectives established in the [[Sample Asset Protection Policy:|'''Sample Asset Protection Policy''']] throughout the life cycle from acquisition to disposal. Specific instructions and requirements for life cycle management of Company hardware and software are provided in the [[Sample Life Cycle Management Standard:|'''Sample Life Cycle Management Standard''']].<br>
<br>
The Company will establish and maintain [[Sample Asset Protection Standards:|'''Sample Asset Protection Standards''']] in accordance with the information asset protection objectives established in the Asset Protection Policy for each system represented in the Company production environment. Specific instructions and requirements for configuration management are provided in the [[Sample Configuration Management Standard:|'''Sample Configuration Management Standard''']].<br>
<br>
All systems, networks, and applications used in the Company production environment and in virtual premises, such as hosting sites, must follow the documented change control process and procedures to ensure that only authorized updates or changes are made.  Specific instructions and requirements for change control are provided in the [[Sample Change Control Standard:|'''Sample Change Control Standard''']].<br>
<br>
All production systems and applications developed by the Company or on behalf of the Company must adhere to the documented process of analyzing, designing, developing, testing, and enhancing systems to ensure the integration of appropriate security controls. Specific instructions and requirements for systems development are provided in the [[Sample System Development Life Cycle Standard:|'''Sample System Development Life Cycle Standard''']].<br>
<br>
The Company will establish and maintain the [[Sample Legal Hold Standards:|'''Sample Legal Hold Standards''']] in coordination with the '''<Company's>''' General Counsel, Legal Department, or designated third party Legal Counsel.<br>
<br>
<br>
<gallery>
Image:Asset Management Standard.png|Asset Management Standard page one of six.
Image:Asset Management Standard(1).png|Asset Management Standard page two of six.
Image:Asset Management Standard(2).png|Asset Management Standard page three of six.
Image:Asset Management Standard(3).png|Asset Management Standard page four of six.
Image:Asset Management Standard(4).png|Asset Management Standard page five of six.
Image:Asset Management Standard(4).png|Asset Management Standard page six of six.
</gallery>


=='''III. Responsibilities'''==
[[File:Asset Management Standard.png]]
<br>
[[File:Asset Management Standard(1).png]]
The Chief Information Officer (CIO) is the approval authority for the Asset Management Policy.<br>
[[File:Asset Management Standard(2).png]]
<br>
[[File:Asset Management Standard(3).png]]
The Chief Information Security Officer (CISO) is responsible for the development, implementation, and maintenance of the Asset Management Policy and associated standards and guidelines.<br>
[[File:Asset Management Standard(4).png]]
<br>
[[File:Asset Management Standard(5).png]]
Legal counsel is responsible for ensuring that contracts, licenses, and service agreements enforce the Asset Management Policy and associated standards and guidelines.<br>
<br>
Company management is accountable for ensuring that the Asset Management Policy and associated standards and guidelines are properly communicated and understood within their respective organizational units. Company management is also responsible for defining, approving and implementing procedures in its organizational units and ensuring their consistency with the Asset Management Policy and associated standards and guidelines.<br>
<br>
All individuals, groups, or organizations identified in the scope of this policy are responsible for familiarizing themselves and complying with the Asset Management Policy and associated standards and guidelines.<br>
<br>
=='''IV. Enforcement and Exception Handling'''==
<br>
Failure to comply with the Asset Management Policy and associated standards, guidelines, and procedures can result in disciplinary actions up to and including termination of employment for employees or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.<br>
<br>
Requests for exceptions to the Asset Management Policy should be submitted to <Title>. Exceptions shall be permitted only on receipt of written approval from <Title>.<br>
<br>
=='''V. Review and Revision'''==
<br>
The Asset Management Policy will be reviewed and revised in accordance with the [[Sample Information Security Program Charter:|'''Sample Information Security Program Charter''']].<br>
<br>
Approved: _______________________________________________________<br>
<br>
::Signature<br>
<br>
::<Insert Name><br>
<br>
::Chief Information Officer<br>

Revision as of 19:49, 13 January 2014

Sample Asset Management Standard

The Asset Management Standard defines Company objectives for establishing specific standards for the management of the networks, systems, and applications that store, process and transmit Company information assets. Company information assets are defined in the Sample Asset Identification and Classification Standard.

Objectives

The Company systems, including hardware and software, must be managed in accordance with the information asset protection objectives established in the Asset Protection Standard throughout the life cycle from acquisition to disposal. Specific instructions and requirements for life cycle management of Company hardware and software are provided in the System Development Life Cycle Standard.

The Company will establish and maintain Asset Protection Standards in accordance with the information asset protection objectives established in the Asset Protection Standard for each system represented in the Company production environment. Specific instructions and requirements for configuration management are provided in the Configuration Management Standard.

All systems, networks, and applications used in the Company production environment and in virtual premises, such as hosting sites, must follow the documented change control process and procedures to ensure that only authorized updates or changes are made. Specific instructions and requirements for change control are provided in the Change Control Certification Process Manual Standard.

All production systems and applications developed by the Company or on behalf of the Company must adhere to the documented process of analyzing, designing, developing, testing, and enhancing systems to ensure the integration of appropriate security controls. Specific instructions and requirements for systems development are provided in the System Development Life Cycle Standard.

Document Examples

Use these samples as a guide for your policy development. Fully customizable versions are available from The Policy Machine.

  • Asset Management Standard page one of six.

    Asset Management Standard page one of six.

  • Asset Management Standard page two of six.

    Asset Management Standard page two of six.

  • Asset Management Standard page three of six.

    Asset Management Standard page three of six.

  • Asset Management Standard page four of six.

    Asset Management Standard page four of six.

  • Asset Management Standard page five of six.

    Asset Management Standard page five of six.

  • Asset Management Standard page six of six.

    Asset Management Standard page six of six.

Retrieved from "http://horseproject.wiki/index.php?title=Sample_Asset_Management_Policy:&oldid=9883"