R Systems International Ltd.

C-40, Sector 59
Noida 201 307
(U.P.), India
http://www.rsystems.com/

Asset Management Policy

Document Id.: ISPolicy031

ISguide

Version No.
No.: : 1.0
3.2

Released on
on: : 22/05/06
31/07/19

This document of R Systems International Ltd. is for internal circulation. No part of this publication may be
reproduced, stored in a retrieval system, or transmitted in any from or by any means – recording,
1
photocopying, electronics and mechanical without prior written permission of R Systems International Ltd.
 Review History
S No. Review Date Reviewed By Remarks
1 09/06/06 ISMS Forum Doc Changed and DCR raised
2 07/09/06 Abhishek Ramavat Doc Changed and DCR raised
3 01/06/09 ISMS Forum Doc Changed and DCR raised
4 04/03/11 Prabhas Dash Doc Changed and DCR raised
5 01/06/12 ISMS Forum No Change
6 09/08/12 Prabhas Dash Doc Changed and DCR raised
7 01/01/14 Manager QAG Doc Changed and DCR raised
8 15/06/15 Manager QAG Doc Changed and DCR raised
9 15/06/15 Sanjay Chouhan- AVP IT Doc Changed and DCR raised
Infrastructure
10 18/07/17 Sanjay Chouhan- AVP IT Doc Changed and DCR raised
Infrastructure
11 18/07/17 Sanjay Chouhan- AVP IT No Change
Infrastructure
12 29/07/19 Sanjay Chouhan- AVP IT Doc Changed and DCR raised
Infrastructure
13 28/07/20 Sanjay Chouhan- Head IT No Change
Infra
14 20/07/21 Sanjay Chouhan- Head IT No Change
Infra
15 20/07/22 Head IT Infra/GM-Admin No Change

2
 DOCUMENT CONTROL SHEET

Document History
Ver. Release DCR Ref. Description of Change Authore Reviewed Approv
No. Date d/Revise By ed By
d By
1.0 09/06/06 DCR/ISMS Final release QA ISMS Forum CISO
/002 Group
1.1 07/09/06 DCR/ISMS ISMS Pre-assessment QA Abhishek CISO
/004 audit finding incorporated Group Ramavat
2.0 01/06/09 DCR/ISMS ISMS Periodic Review QAG ISMS Forum CISO
/058
2.1 04/03/11 DCR/ISMS Periodic Review QAG – Prabhas CISO
/083 ISMS Dash
2.1 01/06/12 NA ISMS Periodic Review QAG ISMS Forum CISO
2.2 09/08/12 DCR/ISMS Classification changed to QAG – Prabhas CISO
/105 Internal ISMS Dash
2.3 01/01/14 DCR/ISMS RSI Logo Updated ISMS Manager CISO
/112 Team QAG
3.0 15/06/15 DCR/ISMS Document revised and ISMS Manager CISO
/122 updated as per ISO Team QAG
27001:2013
3.0 15/06/15 DCR/ISMS Annual Review- 22/06/16 ISMS Sanjay CISO
/132 Team Chouhan-
AVP IT
Infrastructure
3.1 18/07/17 DCR/ISMS Annual Review: New ISMS Sanjay CISO
/136 Section 4.3.3 Re-use of Team Chouhan-
Media added also Section AVP IT
4.1.4 Unacceptable Use of Infrastructure
Assets updated
3.2 31/07/19 DCR/ISMS Annual Review: Review ISMS Sanjay CISO
/144 Date 29/07/19 Team Chouhan-
Sec-3 Scope updated by AVP IT
removing word Noida. Infrastructure

Notes:
 Only controlled hardcopies of the document shall have signatures on them.
 This is an internal document. Unauthorized access or copying is prohibited.
 Uncontrolled when printed unless signed by approving authority.

© R Systems International Limited 2022

3
 Table of Contents

1. Overview ...................................................................................................... 5
2. Objective ...................................................................................................... 5
3. Scope ........................................................................................................... 5
4. Policy ........................................................................................................... 5
4.1 Responsibilities of Assets ............................................................................ 5
4.1.1 Inventory of Assets ................................................................................... 5
4.1.2 Ownership of assets ................................................................................. 5
4.1.3 Acceptable use of assets .......................................................................... 6
4.1.3.1 General Use ........................................................................................... 6
4.1.3.2 Security and Proprietary Information ...................................................... 6
4.1.4 Unacceptable Use of Assets ..................................................................... 7
4.1.5 Return of Assets ....................................................................................... 7
4.2 Information Classification ............................................................................. 7
4.2.1 Information Classification .......................................................................... 7
4.2.2 Labelling of Information ............................................................................. 7
4.2.3 Handling of Assets .................................................................................... 8
4.3 Media Handling ............................................................................................ 8
4.3.1 Management of Removable Media ........................................................... 8
4.3.2 Disposal of Media ..................................................................................... 8
4.3.3 Re-use of Media........................................................................................ 9
4.3.4 Physical Media Transfer............................................................................ 9

4
©R Systems International Ltd Internal ISPolicy031

Asset Management Policy

1. Overview

R Systems intent to obtain the maximum benefit from the capital invested in its assets
throughout their life cycle. Thus the assets shall be identified, classified, protected,
managed and acceptably used in order to minimize the down time and maximize their
utilization.

2. Objective

 To achieve and maintain appropriate protection of organizational assets.

 To ensure that information receives an appropriate level of protection depending
upon the criticality of information.

3. Scope

This policy applies to all information assets at R Systems International Limited.

4. Policy

4.1 Responsibilities of Assets

4.1.1 Inventory of Assets

All information assets shall be clearly identified and an inventory of all assets
will be drawn up and maintained. The asset inventory shall include following
information:

 Type of asset
 Asset Owner
 Asset Business Value

4.1.2 Ownership of assets

All information and assets associated with information processing facilities

shall be owned by the asset owner and the respective department. The asset
owner shall be responsible for:
 Ensuring that information and assets associated with information
processing facility are classified; and
 Defining & periodically reviewing access restriction and classification.

Version No: 3.2 Page 5 of 9 Release Date: 31/07/19

©R Systems International Ltd Internal ISPolicy031

4.1.3 Acceptable use of assets

4.1.3.1 General Use

 RSI’s network administration should provide a reasonable level of

privacy to the users for business purposes, users should be aware
that the data they create on the corporate systems’ remains the
property of RSI.
 Responsibility for exercising good judgment regarding the
reasonableness of personal use should be that of the user of the
asset. Individual should be responsible for the use of
Internet/Intranet/Extranet systems.
 Laptop users should agree to take shared responsibility for the
security of their laptop and the information it contains as per the
Communication Security Policy (ISPolicy033) and Operations
Security Policy (ISPolicy047). They need to sign a Laptop
Undertaking Form.
 For security and network maintenance purposes, authorized
individuals within RSI should monitor equipment; systems and
network traffic at any time and review them.

4.1.3.2 Security and Proprietary Information

 The user interface for information contained on

Internet/Intranet/Extranet-related systems and hardcopies should be
classified as Confidential, Restricted, Internal or Public.
 Authorized users should be responsible for the security of their
passwords and accounts. System and user level passwords should
be changed after a fixed duration of time.
 All PCs, laptops and workstations shall be password protected.
 Information contained on portable computers is vulnerable, special
care should be exercised by their user. For more details refer Laptop
Security policy.
 Postings by employees from a RSI email address should contain a
disclaimer stating that the opinions expressed are strictly their own
and not necessarily those of RSI, unless posting is in the course of
business duties.
 All hosts used by the employee that are connected to the RSI
Internet/Intranet/Extranet, whether owned by the employee or RSI,
should be continually executing approved virus-scanning software
with a current virus database.
 Employees should take caution while opening e-mail attachments
received from unknown senders, which may contain viruses, e-mail
bombs, or Trojan horse code.
 In case an Asset (Laptop, Hardware Equipment, etc) is lost or stolen
appropriate authorities should be intimated as per the Information
Security Incident Management Policy (ISPolicy036).
 Information should not be left unattended at Photocopiers, Printers,
Fax machines, etc

Version No: 3.2 Page 6 of 9 Release Date: 31/07/19

©R Systems International Ltd Internal ISPolicy031

 The custodian of any form of information storage media should be

responsible for the asset.
 No personal electronic & computing devices are allowed on the floors
compliant to PCI DSS standard.

4.1.4 Unacceptable Use of Assets

The following activities are, in general, prohibited. Employees may be

exempted from these restrictions during the course of their legitimate job
responsibilities (e.g., systems administration staff may have a need to disable
the network access of a host if that host is disrupting production services).
Under no circumstances is an employee of RSI authorized to engage in any
activity that is illegal under law while utilizing RSI-owned resources.

4.1.5 Return of Assets

 All employees, contractors and third party users shall be required to return
all of the organization’s assets in their possession upon termination or
change of their employment, contract or agreement as defined in the HR
Manual.
 The termination procedure shall include but not be limited to:
1. To return all previously issued software, documents, and
equipment by RSI. Other organizational assets such as mobile
computing devices, credit cards, access cards, and information
stored on electronic media shall also be returned.
2. To ensure that all relevant information is transferred to the
organization and securely erased from the equipment in cases an
employee, contractor or third party user purchases the
organization’s equipment or uses their own personal equipment.
3. To document and transfer information to RSI in cases where an
employee, contractor or third party user has knowledge that is
important to ongoing business operations.

4.2 Information Classification

4.2.1 Information Classification

Information shall be classified in terms of its value, sensitivity, criticality to
RSI and as per inputs provided by the asset owner. The asset owner shall
be responsible for the classification of the assets. The level of protection
shall be assessed by the Confidentiality, Integrity & Availability aspects of
the information. Classification criteria are mentioned in Asset
management procedure.

4.2.2 Labelling of Information

Appropriate set of procedures for information labeling and handling shall be
developed and implemented in accordance with the classification scheme
mentioned in the Classification Guideline. The process for labeling of
Version No: 3.2 Page 7 of 9 Release Date: 31/07/19
©R Systems International Ltd Internal ISPolicy031

information assets shall be as defined in Asset Management Procedure

(ISProc019).
Information assets will be labeled (marked) physically and/or electronically
using the classification scheme only to indicate the level of confidentiality of
the information. This shall exclude Public information.

Following information shall not be labeled at RSI:

 Client supplied information including source codes, designs and
brochures;
 Information available at Software Project Database;
 Information and data produced before March 2006.

Each classification level, handling procedures including the secure

processing, storage, transmission, declassification, and destruction shall be
defined.

4.2.3 Handling of Assets

Procedures for the handling and storage of information shall be established to

protect this information from unauthorized disclosure or misuse. The
procedures shall include but not be limited to:
 Handling and labeling of all media to its indicated classification
level;
 Access restrictions to prevent access from unauthorized personnel;
 Storage of media in accordance to required specifications;
 Ensuring that input processing is properly completed; and
 Keeping the distribution of data to minimum.

4.3 Media Handling

4.3.1 Management of Removable Media

Media shall be controlled and physically protected. Procedures shall be
established for:

 Erasing content from reusable media;

 Storage of media in a safe & secure environment; and
 Authorization for use of removable media.

This shall be defined in Asset Management Procedure (ISProc019).

4.3.2 Disposal of Media

Media containing information valued as critical and vital shall be disposed of

securely and safely when no longer required. Formal procedure/guidelines for
disposal of media shall be established to minimize the risk of sensitive
Version No: 3.2 Page 8 of 9 Release Date: 31/07/19
©R Systems International Ltd Internal ISPolicy031

information leakage to unauthorized persons. (Refer to E-Waste

Management Policy ISPolicy041 and Asset Management Procedure
ISProc019)

4.3.3 Re-use of Media

R Systems will ensure that prior to re-using the media, it’s securely
overwritten and that such action is verified. Also previous label on such media
that is to be overwritten is removed and destroyed.

Media Re-use is a required implementation specification defined within the

Device and Media Controls standard 164.310(d) (1) in the Physical
Safeguards category of the HIPAA Security Rule.

4.3.4 Physical Media Transfer

Media containing information shall be protected against unauthorized access,

misuse or corruption during transportation beyond an RSI’s physical
boundaries.

Version No: 3.2 Page 9 of 9 Release Date: 31/07/19