Professional Documents
Culture Documents
IS Policy-Domain 3-Asset Management v0.0
IS Policy-Domain 3-Asset Management v0.0
0 - Draft
TABLE OF CONTENTS
8. ASSET MANAGEMENT.................................................................................................................................2
8.1 RESPONSIBILITY OF INFORMATION ASSETS....................................................................................2
8.1.1 INVENTORY OF ASSETS.............................................................................................................................2
8.1.2 OWNERSHIP OF ASSETS............................................................................................................................3
8.1.3 ACCEPTABLE USE OF ASSETS...................................................................................................................3
8.2 INFORMATION CLASSIFICATION..........................................................................................................4
8.2.1 CLASSIFICATION GUIDELINES...................................................................................................................5
8.2.2 INFORMATION LABELING AND HANDLING...............................................................................................8
8.3 Related Information Security Policies...............................................................................................................9
Information Security Policy Manual - V 0.0 - Draft
8. Asset Management
9. Inventory of Assets
Control:
All XYZ BANK assets shall be clearly identified and an inventory of all significant assets
drawn up and maintained.
Policy:
The following policy shall govern the inventory of the XYZ BANK’s information assets:
10. The CSO shall identify all XYZ BANK’s Information assets and document the
importance of these assets.
11. The asset inventory shall include all necessary information including:
a) The type of asset
b) Format
c) Location
d) Backup information
e) License information
f) Retention period
12. The CSO shall ensure that all XYZ BANK’s information-related assets are identified
and tracked.
13. The physical assets inventory shall be updated for any change to the assets.
14. In addition, ownership (see 8.1.2) and information classification (see 8.2) shall be
agreed and documented for each of the assets. Based on the importance of the
asset, its business value and its security classification, levels of protection
commensurate with the importance of the assets shall be identified.
19. Users shall be authorized only to utilize XYZ BANK’s information resources for
business purposes for which they have been authorized. Usage of XYZ BANK
information systems and resources for personal usage or on behalf of a third party
(i.e., personal customer, family member, political or religious or charitable or school
organization, etc.) shall be strictly prohibited;
22. Only Automation staff shall be allowed to install any kind of software on the user’s
system. User shall not be given the authority to install software;
23. Introduction of freeware and shareware software whether downloaded from the
Internet or obtained through any other media to XYZ BANK information systems
shall be subject to a formal evaluation and approval process prior to its installation;
24. Freeware and shareware applications shall be evaluated and tested by the CSO
before installation on XYZ BANK information resources is permitted;
25. Usages of XYZ BANK information systems to store, process, download or transmit
data that can be construed as biased (politically, religiously, racially, ethnically,
etc.) or supportive of harassment shall be strictly prohibited;
28. Downloading inappropriate material such as picture files, music files, or video files
for personal use shall be strictly prohibited;
29. Games are not permitted and shall be removed from all systems;
31. All users shall limit their usage of external services (e.g., bulletin board, on-line
service provider, Internet site, and commercial database) to authorized business
purposes;
32. All users shall further comply with the policies, standards, and procedures of the
external service (e.g., bulletin board, on-line service providers, Internet site, and
commercial database) that they are using. This statement is subject to the following
exceptions:
a) Where the external service’s policy, standard, or procedure does not cover a
specific issue covered here;
b) When the external service’s policy, standard, or procedure is less stringent
than this policy;
c) Where an external service’s policy, standard, or procedure does not exist.
Confidentiality Criteria
These criteria define the level of confidentiality to be accorded to the information
assets and consequently the level of accessibility to the information it contains or
represents.
releases, etc.
Integrity Criteria
Integrity of information relates to the impact of unauthorized modification to an
information asset or loss of the information asset or data contained therein.
Risk Impact
Rating
Low No impact
Availability Criteria
Availability criteria relates to the impact of an information asset being
unavailable. Availability criteria are further subdivided into long-term
unavailability and short-term unavailability.
High Highly Critical Unavailability of the asset for any time frame
will significantly affect multiple operations and
services.
These assets cannot be operated unless they
are replaced by identical capabilities.
Highly critical assets cannot be replaced by
manual methods.
Tolerance to interruption is very low; therefore
cost to interruption is very high.
36. The CSO shall assist information owners in the asset classification process to
ensure that all XYZ BANK’s information-related assets are appropriately classified.
However, the prime responsibility for asset classification shall remain with the
designated information asset owner.
43. Telephones
When using the telephone, especially a speakerphone or public phone, to
discuss sensitive information, users shall ensure that their conversations cannot
be overheard.
44. E-mail
Encryption shall be used when sending “CONFIDENTIAL” information through
third party email services to internal recipients and/or members.
INTERNAL - XYZ BANK Use Only Asset Management
Page 8
Information Security Policy Manual - V 0.0 - Draft