Asset Management

Example Policy
Author: A Heathcote
Date: 24/05/2017
Version: 1.0

Copyright © 2017 Health and Social Care Information Centre.

The Health and Social Care Information Centre is a non-departmental body created by statute, also known as NHS Digital.
Asset Management

Contents
1 Purpose 3
2 Scope 3
3 Applicability 3
4 Guidance 3
Terminology 3
Policy 3
Asset Categorisations 4
Asset Classification 5
Asset Identification and Register 5
Asset Management 6
Asset Disposal 6

5 Key Words 7

Copyright © 2017 Health and Social Care Information Centre. 2

Asset Management

1 Purpose
The purpose of this Asset Management Example Policy is to provide exemplar
guidance in line with HMG and private sector best practice for the production of an
Asset Management Policy. This is in order to allow the reader to produce the
necessary policy and guidance for their business area and to ensure that the
applicable and relevant security controls are set in place in line with the Department
for Health, the wider NHS, health and social care and HMG requirements.

2 Scope
The drafting of any policy governing the production of an Asset Management policy
for NHS systems, devices or applications and information deployed in support of NHS
or health and social care business functions.

3 Applicability
This Example Policy is applicable to and designed for use by any NHS, health and
social care or associated organisations that use or have access to NHS systems
and/or information at any level.

4 Guidance
This Example Policy provides guidance on the production of an Asset Management
Policy. The Example Policy is in italics with areas for insertion shown as <> and the
rationale for each paragraph or section, where required, in [….]. This Example Policy
is supported by a more detailed Good Practice Guide on Asset Management, which
can be used to assist in determining what is and what is not required in the exemplar
policy shown here.

Terminology
Term Definition

SHALL This term is used to state a Mandatory requirement of this policy

SHOULD This term is used to state a Recommended requirement of this

policy

MAY This term is used to state an Optional requirement

Policy
The Asset Management Policy shall be used to ensure that all <insert name of
organisation> information assets (IT and physical hard copy) are identified,
categorised, classified and recorded.
[The aim of the policy statement is to outline the requirement; which is to identify,
categorise, classify and manage all information assets within the organisation.]

Copyright © 2017 Health and Social Care Information Centre. 3

Asset Management

Asset Categorisations
• <Insert name of organisation> information assets are defined as the hardware and
software that forms constituent parts of the IT system storing and processing the
information and physical hard copies (e.g. paper reports and x-rays). An Asset
Register shall be used and the processes outlined in this policy shall be adhered to
for the asset management.
• The first stage of the process is the categorisation of the assets. The assets shall be
categorised using the below list as the framework:
• Hardware
• Desktops
• Monitors
• Laptops
• Printers
• Media – CDs, DVDs, optical Disks, External Hard Drives, USB memory Sticks
(also known as pen drives and flash drives), Media Card Readers, Embedded
Microchips (including Smart Cards and Mobile Phone SIM Cards), MP3
Players, Digital Cameras, Backup Cassettes, Audio Tapes (including
Dictaphones and Answering Machines), etc.
• Photocopiers
• Fax Machines
• Servers
• Firewalls
• Routers
• Switches
• Tokens
• Keys
• Software
• Databases
• Applications
• Software Licenses
• Support/Warranty Contracts
• Development software
• Utilities software
• Data files
• Physical
• Hardcopy documents – files, letters, patient records, etc.
• X-rays, CT Scans, MRI reports, etc.
• Microfiche

Copyright © 2017 Health and Social Care Information Centre. 4

Asset Management

[This section outlines the core categories used within information asset management.
Additional high level and sub categories can be used if appropriate for the organisation;
conversely less can also be appropriate if the organisation does not utilise all the sub
categories. The main aim is to group assets together as this will assist in the
management and security controls to be implemented.]

Asset Classification
• Each asset shall be classified.
• The assets containing NHS information shall be classified using the NHS descriptors
of NHS Confidential and NHS Protect as required.
• The assets containing HMG information shall be classified in accordance with the
Government Security Classification Scheme (GCS), which has 3 classifications and
can be summarised as:
• OFFICIAL – all information produced or processed is defined as OFFICIAL. This
includes routine business operations and services, some of which could have
damaging consequences if lost, stolen or published in the media, but are not
subject to a heightened threat profile. Where this information is perceived to be of
a sensitive nature a security marking of SENSITIVE is used – i.e. OFFICIAL-
SENSITIVE; three additional descriptors can be used: PERSONAL (for personal
data), COMMERCIAL (for sensitive financial or contractual data) and LOCSEN
(for where locally employed personnel are used and their use is sensitive).
• SECRET – very sensitive information that justifies heightened protective measures
to defend against determined and highly capable threat actors. For example,
where compromise could seriously damage military capabilities, international
relations or the investigation of serious organised crime. (Note: NHS is likely to
hold and process very limited amounts of information at SECRET.)
• TOP SECRET – HMG’s most sensitive information requiring the highest levels of
protection from the most serious threats. For example, where compromise could
cause widespread loss of life or else threaten the security or economic wellbeing
of the country or friendly nations. (Note: NHS is likely to hold and process
extremely limited amounts of information at TOP SECRET.)
[All information assets require classifying. The size and role of the organisation will
determine how much of this section is appropriate. Larger organisations that interact
with other NHS and Government departments will need to follow the GSCS as well as
the NHS classification method of NHS CONFIDENTIAL and NHS PROTECT. Smaller
organisations may primarily use the NHS classifications but it would be best practice to
either map or include the GSCS within the classification process to facilitate data
handling between agencies, NHS organisations and the wider public sector.]

Asset Identification and Register

• All <insert name of organisation> information assets shall be recorded in a register.
Each register shall include, as a minimum, the below information:
• Product Number
• Asset Number/Purchase Order No
• A unique serial number
• Location/User

Copyright © 2017 Health and Social Care Information Centre. 5

Asset Management

• Support/Warranty Information
• Category of asset
• Classification of asset
• Asset Owner (normally the Information Asset Owner (IAO))
• Final disposal details.
[A comprehensive but appropriate information asset register will facilitate asset
management and risk management. The fields and asset numbering process should
relate to the organisation’s holdings and mode of operating. For instance, smaller
organisations may have outsourced their IT to a third-party provider; where this is the
case the policy should reflect that the contract with the IT provider must include the
requirement for that provider to have an asset register and identify which assets hold
data on the organisation.]

Asset Management
• Ownership of each Information Asset shall be linked to the relevant IAO and recorded
on the Asset Register.
• Each IAO shall know:
• What information is held and the nature of the information.
• Who has access and the purpose of access?
• IAOs shall provide reports to the <insert name of organisation> Senior Information
Risk Owner (SIRO), suggested as at least annually on assurance and usage of their
assets.
[For smaller organisations, the role of SIRO may be undertaken as a secondary role by a
senior partner or the owner of the business; provided the individual/role is one in a
position to make informed, executive decisions that is appropriate for the SIRO function.
Also, the IAO role may be part of the information governance lead within smaller
organisations where the size does not merit an IAO or several. The main criteria are that
the role or person undertaking the IAO type role can determine and understand what the
information is used for and therefore make the informed decisions for issues such as its
classification.]

Asset Disposal
• All <insert name of organisation> assets that involve HMG data/information shall be
disposed of in accordance with the requirements of Government Guidance for the
type of asset and its classification.
• All <insert name of organisation> assets that involve NHS data/information shall be
disposed of in accordance with the requirements of Government Guidance for the
type of asset and its classification using the below mapping:
• NHS Protect as for OFFICIAL; and
• NHS Confidential as for OFFICIAL-SENSITIVE

Copyright © 2017 Health and Social Care Information Centre. 6

Asset Management

• The specialists handling the asset shall include the following processes:
• date, time, method and personnel responsible for the disposal of the asset
shall be recorded in the Information Asset Register.
[The aim of this function is to ensure that assets are identified and managed all the way
through to their final disposal.]

5 Key Words
Application, Asset Categorisation, Asset Classification, Asset Disposal, Asset
Identification, Asset Management, Hard Copy, Hardware, IAO, Information
Asset, SIRO, Software

Copyright © 2017 Health and Social Care Information Centre. 7