Information Security Policy Manual - V 0.

0 - Draft

TABLE OF CONTENTS

8. ASSET MANAGEMENT.................................................................................................................................2
8.1 RESPONSIBILITY OF INFORMATION ASSETS....................................................................................2
8.1.1 INVENTORY OF ASSETS.............................................................................................................................2
8.1.2 OWNERSHIP OF ASSETS............................................................................................................................3
8.1.3 ACCEPTABLE USE OF ASSETS...................................................................................................................3
8.2 INFORMATION CLASSIFICATION..........................................................................................................4
8.2.1 CLASSIFICATION GUIDELINES...................................................................................................................5
8.2.2 INFORMATION LABELING AND HANDLING...............................................................................................8
8.3 Related Information Security Policies...............................................................................................................9
 Information Security Policy Manual - V 0.0 - Draft

8. Asset Management

8.1 Responsibility of Information Assets

Objective:
To achieve and maintain appropriate protection of XYZ BANK’s information assets. All information
assets shall be accounted for and have a nominated owner. Owners shall be identified for all
information assets and the responsibility for the maintenance of appropriate controls shall be
assigned.
Note: For the purpose of this document, wherever the term ‘Asset’ appears, it refers to ‘Information
Asset’.

9. Inventory of Assets
Control:
All XYZ BANK assets shall be clearly identified and an inventory of all significant assets
drawn up and maintained.
Policy:
The following policy shall govern the inventory of the XYZ BANK’s information assets:

10. The CSO shall identify all XYZ BANK’s Information assets and document the
importance of these assets.

11. The asset inventory shall include all necessary information including:
a) The type of asset
b) Format
c) Location
d) Backup information
e) License information
f) Retention period

12. The CSO shall ensure that all XYZ BANK’s information-related assets are identified
and tracked.

13. The physical assets inventory shall be updated for any change to the assets.

14. In addition, ownership (see 8.1.2) and information classification (see 8.2) shall be
agreed and documented for each of the assets. Based on the importance of the
asset, its business value and its security classification, levels of protection
commensurate with the importance of the assets shall be identified.

INTERNAL - XYZ BANK Use Only Asset Management

Page 2
 Information Security Policy Manual - V 0.0 - Draft

15. Ownership of Assets

Control:
All major XYZ BANK information, software, and physical assets, as well as services, shall
be accounted for and have a nominated owner. The owner shall be responsible for the
maintenance and security of each asset.
Policy:
The following policy shall govern the ownership of the XYZ BANK’s information assets:

16. The ownership of each information asset shall be defined;

17. The information asset owner shall be responsible for:

a) Ensuring that information and assets associated with information processing
facilities are appropriately classified (see 8.2.1 classification guidelines);
b) Defining and periodically reviewing access restrictions and classifications,
taking into account applicable access control policies;

18. Acceptable Use of Assets

Control:
Rules for the acceptable use of information and assets associated with information
processing facilities shall be identified, documented and implemented.
Policy:
The following policy shall govern the acceptable use of assets:

19. Users shall be authorized only to utilize XYZ BANK’s information resources for
business purposes for which they have been authorized. Usage of XYZ BANK
information systems and resources for personal usage or on behalf of a third party
(i.e., personal customer, family member, political or religious or charitable or school
organization, etc.) shall be strictly prohibited;

20. Introduction of unauthorized copies of licensed software & hardware

(piracy/copyright & patent infringement) (see chapter 16 “Compliance”) to XYZ
BANK information resources and the copying of such material shall be prohibited;

21. The storage, processing, or transmittal of unauthorized copies of licensed software

& hardware (piracy/copyright & patent infringement), by XYZ BANK personnel
associates shall be strictly prohibited;

22. Only Automation staff shall be allowed to install any kind of software on the user’s
system. User shall not be given the authority to install software;

23. Introduction of freeware and shareware software whether downloaded from the
Internet or obtained through any other media to XYZ BANK information systems
shall be subject to a formal evaluation and approval process prior to its installation;

INTERNAL - XYZ BANK Use Only Asset Management

Page 3
 Information Security Policy Manual - V 0.0 - Draft

24. Freeware and shareware applications shall be evaluated and tested by the CSO
before installation on XYZ BANK information resources is permitted;

25. Usages of XYZ BANK information systems to store, process, download or transmit
data that can be construed as biased (politically, religiously, racially, ethnically,
etc.) or supportive of harassment shall be strictly prohibited;

26. Downloading, redistribution and printing of copyrighted articles, documents, or

other copyrighted materials to XYZ BANK information systems shall be strictly
prohibited;

27. Receiving, printing, transmitting, or otherwise disseminating proprietary data,

business secrets of XYZ BANK or other confidential information in violation of bank
policies or proprietary agreements shall be strictly prohibited;

28. Downloading inappropriate material such as picture files, music files, or video files
for personal use shall be strictly prohibited;

29. Games are not permitted and shall be removed from all systems;

30. Introduction of destructive programs (e.g., viruses, self-replicating code) in order to

cause intentional damage, interfere with others, gain unauthorized access, or
inhibit production to XYZ BANK’s information systems shall be strictly prohibited;

31. All users shall limit their usage of external services (e.g., bulletin board, on-line
service provider, Internet site, and commercial database) to authorized business
purposes;

32. All users shall further comply with the policies, standards, and procedures of the
external service (e.g., bulletin board, on-line service providers, Internet site, and
commercial database) that they are using. This statement is subject to the following
exceptions:
a) Where the external service’s policy, standard, or procedure does not cover a
specific issue covered here;
b) When the external service’s policy, standard, or procedure is less stringent
than this policy;
c) Where an external service’s policy, standard, or procedure does not exist.

32.1 Information Classification

Objective:
XYZ BANK’s information assets shall be classified to indicate the need, priorities, and expected
degree of protection when handling the information. The information classification scheme shall be
used to define an appropriate set of protection levels and communicate the need for special
handling measures.

INTERNAL - XYZ BANK Use Only Asset Management

Page 4
 Information Security Policy Manual - V 0.0 - Draft

33. Classification Guidelines

Control:
Information shall be classified in terms of its value, legal requirements, sensitivity, and
criticality to XYZ BANK.
Policy:
The following policy shall govern the classification of the XYZ BANK’s information assets:

34. Responsibility for Classification:

The owner of the information asset shall be responsible for assigning the
appropriate classification levels and applying the appropriate labelling. Periodic
reviews shall be performed by the owner and, where appropriate, the owner shall
reclassify the information asset when its value or inherent risk would have
changed.

35. The information classification shall be as follows:

a) Public - XYZ BANK Information that is designed to be in the public domain
or is readily acquired in the marketplace;
b) Internal - Information for general use by all XYZ BANK employees;
c) Confidential - Highly sensitive or critical information. Its knowledge is
restricted among XYZ BANK employees (authorized by the management),
XYZ BANK legal entities, business units, or other functional groups specified
by the Information Owner and XYZ BANK management.
The information assets shall be classified into one of the above categories after
analyzing the risks affecting information assets. The risks to consider for
classifying assets are:
a) Loss of Confidentiality
b) Loss of Integrity
c) Loss of Availability

Confidentiality Criteria
These criteria define the level of confidentiality to be accorded to the information
assets and consequently the level of accessibility to the information it contains or
represents.

Risk Accessi Impact

Rating bility

Low Public Public Information

No Impact. Such information comes from public
sources or is provided by the Bank to the general
public. Examples include periodicals, public bulletins,
published bank financial statements, published press

INTERNAL - XYZ BANK Use Only Asset Management

Page 5
 Information Security Policy Manual - V 0.0 - Draft

releases, etc.

Medium Internal Internal Information

Such information is the property of the Bank. The
Bank has the sole right over this information
(exception: subjects of the information in most cases
will also have rights to the information, such as a third
party contractor having access rights to their contract).
This form of information must be used within the Bank
and not shared with third parties.
Such information must be restricted to departmental
personnel only.
Examples include departmental memos, work
programs, schedules, departmental plans etc.

High Confiden Confidential Information

tial
Confidential information is the most sensitive form of
information. It is so sensitive that disclosure or usage
would have a definite impact on the Bank’s business
and its future prospects.
Extremely restrictive controls need to be applied (e.g.,
very limited audience).
Examples include strategic plans, investment
decisions etc.

Integrity Criteria
Integrity of information relates to the impact of unauthorized modification to an
information asset or loss of the information asset or data contained therein.

Risk Impact
Rating

Low No impact

Medium Loss of integrity of the information asset (either partially or

completely) could cause minor embarrassment to the Bank.
The integrity of the information can be easily recovered without
significant effort.

High Loss of integrity of the information asset (either partially or

completely) could cause embarrassment and /or negative publicity
to the Bank
The integrity of the information may be recovered at a moderate
financial cost to the Bank.

INTERNAL - XYZ BANK Use Only Asset Management

Page 6
 Information Security Policy Manual - V 0.0 - Draft

Availability Criteria
Availability criteria relates to the impact of an information asset being
unavailable. Availability criteria are further subdivided into long-term
unavailability and short-term unavailability.

Risk Classification Impact

Rating

Low Non Critical No impact. Asset can be easily replaced.

These assets may be interrupted for an
extended period of time, at little or no cost to
the bank, and require little or no catching up
when restored.

Medium Vital Unavailability of the asset will not significantly

affect the Bank’s operations and services.
These assets can be replaced by manual
processes - but only for a brief period of time.
There is a higher tolerance to interruption than
with highly critical systems and therefore
somewhat lower costs of interruption provided
that functions are restored within a certain
timeframe.

High Highly Critical Unavailability of the asset for any time frame
will significantly affect multiple operations and
services.
These assets cannot be operated unless they
are replaced by identical capabilities.
Highly critical assets cannot be replaced by
manual methods.
Tolerance to interruption is very low; therefore
cost to interruption is very high.

36. The CSO shall assist information owners in the asset classification process to
ensure that all XYZ BANK’s information-related assets are appropriately classified.
However, the prime responsibility for asset classification shall remain with the
designated information asset owner.

37. The classification of each information asset is to be reviewed annually by

information asset owner and may be amended in accordance with the asset
classification scheme and related guidelines in force at the time.

INTERNAL - XYZ BANK Use Only Asset Management

Page 7
 Information Security Policy Manual - V 0.0 - Draft

38. Information Labeling and Handling

Control:
An appropriate set of procedures for information labeling and handling shall be developed
and implemented in accordance with the classification scheme adopted by XYZ BANK.
Policy:
The following policy shall govern the Labeling and Handling of XYZ BANK’s information:

39. Copying Information

Information classified as “CONFIDENTIAL” shall be copied only after appropriate
management approval;

40. Information Storage

When not in use, all tangible “CONFIDENTIAL” information shall be stored in
locked drawers, cabinets, or rooms specifically designated for that purpose and
that are accessible only by individuals, authorized by the information owner.
All electronic “CONFIDENTIAL” information shall be encrypted using a method
approved by the CSO when stored on any electronic media. Additionally, users
shall ensure that no sensitive information stored on their hard drive unless its
access is appropriately restricted.
Information such as passwords, when stored on information systems, shall also
be encrypted.

41. Record Retention

The Information Owner shall establish the retention schedule, identifying
essential record types and the period for which they are required to be retained.
Information removed from storage shall be authorized by the Information Owner
and logged to provide an audit trail.

42. Fax Messages

When faxing “INTERNAL” or “CONFIDENTIAL” data from outside XYZ BANK
premises, the fax machine shall not be left unattended.
Information sent via fax shall include XYZ BANK Fax cover page with a
classification and disclaimer that the information sent is for the use of the
intended recipient only.

43. Telephones
When using the telephone, especially a speakerphone or public phone, to
discuss sensitive information, users shall ensure that their conversations cannot
be overheard.

44. E-mail
Encryption shall be used when sending “CONFIDENTIAL” information through
third party email services to internal recipients and/or members.
INTERNAL - XYZ BANK Use Only Asset Management
Page 8
 Information Security Policy Manual - V 0.0 - Draft

44.1 Related Information Security Policies

Chapter 16 – Compliance

INTERNAL - XYZ BANK Use Only Asset Management

Page 9