ISO 27001:2013  A. 8 Asset management 

by Pretesh Biswas,

An asset is an item of value. An asset is defined as “Any item of economic value owned by an individual or corporation”. It can be referring to items such as buildings, utility infrastructure such as electrical cables, water pipes, rail lines, and metro tunnels, and industrial assets such as oil rigs, chemical plants, and process plant conveyors. Asset and data management is based on the idea that it is important to identify, track, classify, and assign ownership for the most important assets in the organization to ensure they are adequately protected. Tracking inventory of IT hardware is the simplest example of asset management. Knowing what you have, where it lives, how important it is, and who’s responsible for it. An Information Asset is an item of value containing information. The same concepts of general asset management apply to the management of information assets (e.g., data). To be effective, an overall asset management strategy should include information assets, software assets, and information technology equipment. In addition, the people employed by an organization, as well as the organization’s reputation, are also important assets not to be overlooked in an effective asset management strategy.

These asset types and the vital understanding of their business context are illustrated in Figure above. The organization should recognize such interdependencies and make appropriate provisions for the indirect “enablers” that are required to optimize the value of physical assets. Conversely, organizations that are heavily dependent upon physical assets should also recognize that deficiencies in the management of other asset types may have a profound impact on the overall or long-term performance of their physical assets and thus their organizational performance. Such organizations should recognize that all assets will need to be managed in an integrated and holistic manner. For example:

  • Human assets: the behaviours, knowledge, and competence of the workforce have a fundamental influence on the performance of the physical assets.
  • Financial assets: financial resources are required for infrastructure investments, operation, maintenance and materials;
  • Information assets: good quality data and information are essential to develop, optimize and implement the asset management plan.
  • Intangible assets: the organization’s reputation and image can have a significant impact on infrastructure investment, operating strategies and associated costs.

An organization should be in a position to know what physical, environmental, or information assets it holds, and be able to manage and protect them appropriately. Important elements to consider when developing an asset and data management strategy are:

  • Inventory (do you know what assets you have & where they are?)
  • Responsibility/Ownership (do you know who is responsible for each asset?)
  • Importance (do you know how important each asset is in relation to other assets?)
  • Establish acceptable-use rules for information and assets.
  • Establish procedures for the labelling of physical and information assets.
  • Establish return of asset procedures (do you have an employee exit procedure?)
  • Protection (is each asset adequately protected according to how important it is?)

Level of Assets

There are different levels at which asset units can be identified and managed, ranging from discrete equipment items or components to complex functional systems, networks, sites, or diverse portfolios. Many organizations identify assets as equipment units (sometimes referred to as “maintenance significant items” – the unit at which maintenance tasks or work orders are directed), whereas others use the term to describe functional systems or even integrated business units. It does not matter at what such level an asset unit is identified, provided that:

  • the organization’s goals and strategic priorities are directly reflected in the asset management plans.
  • the asset life cycle costs, risks, and performance are considered and optimized. (This will usually require the definition of clear asset boundaries for measuring performance, life cycle expenditures and attributing associated risks.)
  • the aggregations of assets (through integrated asset systems) and contributions of value (as part of the organization’s portfolio) are managed in a coordinated and consistent manner.
  • all parts of the organization understand and use the same terminology in relation to the assets, their components, and their asset system groupings or aggregations.

This hierarchy brings challenges and opportunities at different levels. For example, discrete equipment items may have identifiable individual life cycles that can be optimized, whereas asset systems may have an indefinite horizon of required usage. Sustainability considerations should, therefore, be part of optimized decision-making. A larger organization may also have a diverse portfolio of asset systems, each contributing to the overall goals of the organization, but presenting widely different investment opportunities, performance challenges, and risks. An integrated asset management system is therefore essential to coordinate and optimize the diversity and complexity of assets in line with the organization’s objectives and priorities. The asset management focus will tend to differ at the various levels of asset integration in an organization. The figure below shows examples of priorities that might be evident at the different levels of asset integration and management

Asset Management

Asset and data management is based on the idea that it is important to identify, track, classify, and assign ownership for the most important assets in your organization to ensure they are adequately protected. Tracking inventory of IT hardware is the simplest example of asset management. Knowing what you have, where it lives, how important it is, and who’s responsible for it are all important pieces of the puzzle. Similarly, an Information Asset is an item of value containing information. Managing assets effectively for utilities is not optional these days. Across the globe, every society is faced with a significant asset management challenge:

  • Emerging economies are trying to identify the lowest cost I highest return investments to achieve maximum immediate benefit
  • Rapidly developing countries are faced with understanding the life cycle costs of their infrastructure. More mature economies are trying to find ways of extending the life of their infrastructure and also meet major global challenges like climate change

Asset Management can be defined as systematic and coordinated activities and practices through which an organization optimally and sustainably manages its assets and asset systems, their associated performance, risks, and expenditures over its life cycles for the purpose of achieving its organizational strategic plan.

The same concepts of general asset management apply to the management of information assets (e.g., data). To be effective, an overall asset management strategy should include information assets, software assets, and information technology equipment. In addition, the people employed by an organization, as well as the organization’s reputation, are also important assets not to be overlooked in an effective asset management strategy. An organization should be in a position to know what physical, environmental, or information assets it holds, and be able to manage and protect them appropriately. Important elements to consider when developing an asset and data management strategy are:

  • Inventory (do you know what assets you have & where they are?)
  • Responsibility/Ownership (do you know who is responsible for each asset?)
  • Importance (do you know how important each asset is in relation to other assets?)
  • Establish acceptable-use rules for information and assets.
  • Establish procedures for the labelling of physical and information assets.
  • Establish return of asset procedures (do you have an employee exit procedure?)
  • Protection (is each asset adequately protected according to how important it is?)

Good asset management considers and optimizes the conflicting priorities of asset utilization and asset care, of short-term performance opportunities and long-term sustainability, and between capital investments and subsequent operating costs, risks, and performance. “Life cycle” asset management is also more than simply the consideration of capital costs and operating costs over pre-determined asset “life” assumptions. Truly optimized, whole life asset management includes risk exposures and performance attributes and considers the asset’s economic life as the result of an optimization process (depending upon the design, utilization, maintenance, obsolescence, and other factors).

Asset Management is important because it can help organizations to:

  1. Reduce the total costs of operating their assets
  2. Reduce the capital costs of investing in the asset base
  3. Improve the operating performance of their assets (reduce failure rates, increase availability, etc)
  4. Reduce the potential health impacts of operating the assets
  5. Reduce the safety risks of operating the assets
  6. Minimize the environmental impact of operating the assets
  7. Maintain and improve the reputation of the organization
  8. Improve the regulatory performance of the organization
  9. Reduce legal risks associated with operating assets

The key to good Asset Management is that it OPTIMISES these benefits. That means that asset management takes all of the above into account and determines the best blend of activities to achieve the best balance for all of the above for the benefit of the organization. Asset Management is explicitly focused on helping organizations to achieve their defined objectives and to determine the optimal blend of activities based on these objectives.

The principles of asset management

Asset management is a holistic view and one that can unite different parts of an organization together in pursuit of shared strategic objectives. The key principles and attributes of successful asset management can be explained as follows:

  • Holistic: looking at the whole picture, i.e. the combined implications of managing all aspects (this includes the combination of different asset types, the functional interdependencies and contributions of assets within asset systems, and the different asset life cycle phases and corresponding activities), rather than a compartmentalized approach.
  • Systematic: a methodical approach, promoting consistent, repeatable and auditable decisions and actions.
  • Systemic: considering the assets in their asset system context and optimizing the asset systems value (including sustainable performance, cost, and risks) rather than optimizing individual assets in isolation.
  • Risk-based: focussing resources and expenditure, and setting priorities, appropriate to the identified risks and the associated cost/benefits;
  • Optimal: establishing the best value compromise between competing factors, such as performance, cost, and risk, associated with the assets over their life cycles.
  • Sustainable: considering the long-term consequences of short-term activities to ensure that adequate provision is made for future requirements and obligations (such as economic or environmental sustainability, system performance, societal responsibility, and other long-term objectives).
  • Integrated: recognizing that interdependencies and combined effects are vital to success. This requires a combination of the above attributes, coordinated to deliver a joined-up approach and net value.

A key principle in Asset Management is a LINE OF SIGHT…that means:

  • An approach within an organization that looks to line up the work that is done directly on assets with the objectives of that organization.
  • A discipline which recognizes, accommodates and aligns the risk of owning a particular asset with the goals of the organization that operates the asset

Some Examples
Eg.1. A good ‘asset management’ decision might be to purchase an expensive, high specification stainless steel piping system within an industrial process. Whilst the initial cost is higher, the maintenance costs may be lower and the expected life 3 times longer, the risk of disruptive failure may be lower, and therefore the risk to the organization from a performance, health & safety, and environmental perspective consequently much lower. The total life cycle costs, therefore, may be lower and the total risk to the organization through purchasing the more expensive piping system, therefore, represents a good asset management decision.
Eg.2. A poor asset management decision might be to reduce the frequency of maintenance activity on an asset without appreciating the full impact of doing so. Whilst there may be a short-term financial benefit, the long-term cost to the organization, if the asset prematurely fails, might substantially outweigh this benefit. Of course, maintenance is recognized as a means of introducing failures, so the proper investigation may prove that reducing maintenance frequency is a net benefit to the organization!

Asset life cycle

Understanding that assets have a life cycle is a key concept within Asset Management and is therefore worthy of scrutiny. There are dozens of different ways of representing the life cycle, but the diagram above captures a simple representation of it. The arrows don’t represent the length of time spent in each phase.

  1.  Acquire
    This covers everything the goes into planning, designing and procuring an asset. Some life cycle diagrams capture Planning as a separate function. Proper application of these activities ensures that the asset is fit for purpose.
  2. Commission
    This covers the activities of installing/creating or building the asset and ensuring that it is fully functional. It is a recognized fact that there is a higher incidence of failure after the first installation/building of an asset. This is reflected in the need for the commissioning stage in the life cycle to oversee the initial operation of the assets.
  3. Operate
    This is normally the bulk of the life cycle for an asset during which it provides the function for which it was designed. During this period the asset should be subject to appropriate monitoring, maintenance, refurbishment, and potential upgrade to meet any change in condition or operational requirement. For many assets, this phase is decades-long. It may even be centuries. It is the phase that many engineers are most familiar with.
  4. Dispose
    This is often the most overlooked phase. Assets can last beyond a human life time and it can be difficult to consider asset disposal when it is so far into the future. Asset Management teaches us that we ignore any stage of the asset life cycle at our peril. This is a key period within an asset’s life. With some assets, e.g. in the nuclear industry, this can be an extended and highly critical period. Key activities during this period include the effective removal of the asset from operation; the disposal or recycling of the asset or its components; and the feed into the planning for the replacement asset (if a replacement is required) to determine the operational requirements based on the effectiveness of operation and the failure modes encountered.

How to go about it?

  1. Review potential sources of information assets. A holistic perspective that includes data centers, hardware, software, and data may require various sources including:
    1. Organizational asset inventory reports from departments responsible for purchasing and equipment asset inventory.
    2. Organizational information security risk assessments.
    3. Business Continuity and Disaster Recovery plans (a good source for critical systems).
    4. Visit your Organization’s CIO and data center management and discuss what information resources are under their custody.
    5. Visit major stakeholders (senior staff, administrative department heads, etc.,) and discuss what information systems and data their department handles.
    6. Create a spreadsheet of the items.
    7. List the assets for each category.
    8. Define distinct categories for the types of assets in the organization. (e.g., infrastructure, data center hardware, information systems/applications, data).
  2. Record the physical location of the asset in your spreadsheet. You may want to divide them into Local and Hosted. Include under Local institutional brick and mortar physical locations such as classrooms, data centers, labs, or offices. For example, the location of collaborative research materials on a file share may be Primary Data Center X. Include under Hosted third-party vendor data centers and other remote locations not owned by the organization. For example, the location of the learning management system is the Vendor X data center located in Address.
  3. Identify and record in your spreadsheet the Owners and Custodians for each of the assets listed in your spreadsheet. Most of the time, the individuals responsible for the security of the asset and ensuring compliance are not the same as the individuals responsible for implementing security controls and day-to-day operations.
    1. Review the federal or state laws, regulations, rules or institutional policies that require protection of information resources.
    2. Review your institution’s Data Classification Policy.
    3. Determine if the organization’s assets are classified in accordance with the Data Classification policy.
    4. Create a simple classification schema (e.g., Public, Restricted, Confidential).
    5. Create a criticality rating for the assets. For example (highest to lowest):
      1. critical is always available and protected
      2. very important this asset is available and protected
      3. important if this asset is available and protected
      4. good if this asset is available with minimal protection
    6. Record in your spreadsheet the asset classification and/or criticality ranking.
      • . Example 1: The LMS system has a rating of 2.
      • Example 2:  Customer Records are Confidential and have a rating of 1.
    7. Determine whether institutional assets are protected according to their classification and importance.

Seven steps to implement Asset Management

  1. Developing Policy: The Asset Management Policy is the link between the Organisational Plan (that is the top-level ‘business plan’ in a company) and the Asset Management Strategy. It is typically a set of principles or guidelines to steer Asset Management activity to achieve the organization’s objectives. It specifically covers the ‘what’ and the ‘why’.
  2. Developing Strategy: The Asset Management Strategy directs the organization’s Asset Management activity; it will determine the high-level Asset Management objectives that are needed from the activity to deliver the organization’s objectives; it will define the approach to planning that will be taken.
  3. Asset Management Planning: Asset Management Planning looks at considering all the options for activities and investments going forward and then putting together a set of plans which describe what will be done when and by whom. The asset manager ensures that the plan delivers what is required of it by the strategy.
  4. Delivering the Plans:  This is the bit where work is actually done on the assets, whether assessing or monitoring them, maintaining or repairing them, refurbishing or replacing them. This activity clearly needs to include the appropriate controls to ensure the work is done efficiently and that information gathered is fed back into the strategy and planning activities.
  5. Developing People: This activity is specifically about developing the skills and competences of people to better deliver Asset Management activities. It spans from the board room to the toolbox and also through the supply chain. As well as individual skills, it looks at the culture within an organization and how change can be managed to achieve optimal results for that organization.
  6. Managing Risk: Understanding risk is a critical concept in Asset Management and is a key function and area of competence. Its focus is on being able to assess the risk of action or inaction on the performance
    of assets in the context of the organization’s corporate objectives.
  7. Managing Asset Information: Collecting and collating the right information to
    inform Asset Management decisions is crucial to achieving Asset Management’s success. Too much data confuses the picture and costs money to collect. Too little data results in decisions made in the dark (or at best the twilight!). Ensuring that the right people have the right information to make the best decisions is key.

A.8.1 Responsibility for assets 


To identify organizational assets and define appropriate protection responsibilities.

A.8.1.1 Inventory of assets


Assets associated with information and information processing facilities should be identified and an inventory of these assets should be drawn up and maintained.

Implementation Guidelines:

An organization should identify assets relevant in the lifecycle of information and document their importance. The lifecycle of information should include creation, processing, storage, transmission. deletion and destruction. Documentation should be maintained in dedicated or existing inventories as appropriate. The asset inventory should be accurate, up to date, consistent and aligned with other inventories. For each of the identified asséts, ownership of the asset should be assigned and the classification should be identified. Inventories of assets help to ensure that effective protection takes place, and may also be required for other purposes. such as health and safety. insurance or financial (asset management) reasons. ISO provides examples of assets that might need to be considered by the organization when identifying assets. The process of compiling an inventory of assets is an important prerequisite of risk management

A.8.1.2 Ownership of assets


Assets maintained in the inventory should be owned.

Implementation Guidelines:

Individuals, as well as other entities having approved management responsibility for the asset lifecycle, qualify to be assigned as asset owners. A process to ensure timely assignment of asset ownership is usually implemented. Ownership should be assigned when assets are created or when assets are transferred to the organization. The asset owner should be responsible for the proper management of an asset over the whole asset lifecycle. The asset owner should:

  1. ensure that assets are inventoried.
  2. ensure that assets are appropriately classified and protected.
  3. define and periodically review access restrictions and classifications to important assets, taking into account applicable access control policies.
  4. ensure proper handling when the asset is deleted or destroyed..

The identified owner can be either an individual or an entity who has approved management responsibility for controlling the whole lifecycle of an asset. The identified owner does not necessarily have any property rights to the asset. Routine tasks may be delegated e.g. to a custodian looking after the assets on a daily basis, but the responsibility remains with the owner.  In complex information systems, it may be useful to designate groups of assets that act together to provide a particular service. In this case, the owner of this service is accountable for the delivery of the service, including the operation of its assets.

A.8.1.3 Acceptable use of assets


Rules for the acceptable use of information and of assets associated with information and information processing facilities should be identified, documented, and implemented.

Implementation Guidelines:

Employees and external party users using or having access to the organization’s assets should be made aware of the information security requirements of the organization‘s assets associated with information and information processing facilities and resources. They should be responsible for their use of any information processing resources-and of any such use carried out under their responsibility.

A.8.1.4 Return of assets


All employees and external party users should return all of the organizational assets in their possession upon termination of their employment, contract, or agreement.

Implementation Guidelines:

The termination process should be formalized to include the return of all previously issued physical and electronic assets owned by or entrusted to the organization. In cases where an employee or external party user purchases the organization’s equipment or uses their own personal equipment, procedures should be followed to ensure that all relevant information is transferred to the organization and securely erased from the equipment. In cases where an employee or external party user has knowledge that is important to ongoing operations that information should be documented and transferred to the organization. During the notice period of termination, the organization should control the unauthorized copying of relevant information (e.g. intellectual property) by terminated employees and contractors.

Responsibility for Assets

In order to effectively manage an organization’s assets, you must first understand what assets you have and where your organization keeps them. Some asset examples are IT hardware, software, data, system documentation, and storage media. Supporting assets such as data center air systems, UPS’s, and services should be included in the inventory. All assets should be accounted for and have an owner. If improperly managed, assets can become liabilities.

  • Categorize your assets. Begin by defining distinct categories of the types of assets in the organization. Each category should have its own inventory or classification structure based on the assets that category may contain. (Category: Data Center Hardware)
  • Create a list of assets for each category. Creating a list of an institution’s assets and their corresponding locations is the beginning of your inventory. Often, the process of doing so helps identify additional assets that previously had not been considered.(Category: Data Center Hardware; Asset: Core Network Switches)
  • Add a location for each asset. The location could be a brick and mortar physical location such as a classroom, data center or office. It could also be collaborative research materials on a file share or financial information stored in a database. (Category: Data Center Hardware; Asset: Core Network Switches; Location: Room no 001)

Because assets can be many things and serve multiple functions, there will likely be more than one inventory process or system used to capture the range of assets that exist in an organization. Make sure you connect with other areas to see what form of hardware inventory already exists. Don’t start from zero. Each inventory system should not unnecessarily duplicate other inventories that may exist.

Asset Responsibility/Ownership

Once you have begun to capture an inventory of the potential assets and their locations, start identifying the responsible person for each asset. An owner is a person, or persons or department, that has been given formal responsibility for the security of an asset. The owner is responsible for securing the asset during the lifecycle of the asset.  At this juncture in the exercise, it is important to understand the distinction between the terms “owner” and “custodian” of assets.

The custodian is responsible for ensuring that the asset is managed appropriately over its lifecycle, in accordance with rules set by the asset owner.  The custodian is often a subject matter expert (SME) or “owner” of the business process for a particular information asset.  An owner of an information asset, Data Owners if you will have direct operational responsibility for the management of one or more types of data.  Think of it in terms of an information security department.  You have the “owner”, the person responsible for interpreting and assuring compliance.  That would be the Director or CISO.  Then there is the custodian, the person responsible for the day-to-day operations and management of the tools and processes that protect the information assets.

Identifying the owners will help determine who will be responsible for carrying out protective measures, and responding to situations where assets may have been compromised. You will also quickly realize when it isn’t clear who the appropriate responsible party is or when shared responsibility may be an issue.

(Category: Data Center Hardware; Asset: Core Network Switches; Location: Room no 01; Owner: Director XYZ)

The owner of the assets should be able to identify acceptable uses or provide information on which policy governs its acceptable use. Work with the responsible owner, if need be, on acceptable uses. The acceptable uses should include items such as who assumes the risk of loss, gives access to the asset and how a critical asset is kept functional during or after a loss. Policies governing the use, preservation, and destruction of hardware may originate from your asset management office. Many organizations also find it helpful to document expectations for the acceptable and responsible use of information technology assets in an Acceptable and Responsible Use Policies.

Physical and Environmental Asset Importance

All assets add value to an organization. However, not all assets are created equal. Gaining a clear understanding of the relative importance of each asset when compared to other organizational assets is an essential step if you are to adequately protect your assets. The importance of an asset can be measured by its business value and security classification or label. Create a rating system for the asset. It can be as simple as (highest to lowest)

  • 1 – critical is always available and protected
  • 2 – very important this asset is available and protected
  • 3 – important if this asset is available and protected
  • 4 – good if this asset is available with minimal protection

Building on the previous example and adding a rating system, it would look like

(Category: Data Center Hardware; Asset: Core Network Switches; Location: Room no 01; Owner: Director XYZ; Rate: 1 (Critical))

A  computer kept in a cafeteria for the purpose of recreation may have a lower score given it is good that the asset is available. The computer kept in the finance dept may be protected with anti-virus and firewall.

Acceptable Use of Assets Associated With Information

After going through the asset inventory, categorization, and ownership identification, ensure there are documented policies regarding the acceptable use of assets. Define, and document, the rules that clarify the acceptable uses of assets associated with information and information processing facilities. It is important, once the rules are clarified, that appropriate controls are implemented and the security requirements are communicated. Target the communication of security requirements to employees and, if appropriate, third parties who may use these assets. Accountability is key. Asset owners should be responsible and accountable, even if the owner has delegated responsibility, for their use of facilities and resources.

An example of an Acceptable Use Policy

  1. General Use and Ownership
    1. proprietary information stored on electronic and computing devices whether owned or leased by , the employee or a third party, remains the sole property of. You must ensure through legal or technical means that proprietary information is protected in accordance with the Data Protection Standard.
    2. You have a responsibility to promptly report the theft, loss or unauthorized disclosure of proprietary information.
    3. You may access, use or share proprietary information only to the extent it is authorized and necessary to fulfill your assigned job duties.
    4. Employees are responsible for exercising good judgment regarding the reasonableness of personal use. Individual departments are responsible for creating guidelines concerning personal use of Internet/Intranet/Extranet systems. In the absence of such policies, employees should be guided by departmental policies on personal use, and if there is any uncertainty, employees should consult their supervisor or manager.
    5. For security and network maintenance purposes, authorized individuals within may monitor equipment, systems, and network traffic at any time, per the organization’s Audit Policy.
    6. reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy.
  2. Security and Proprietary Information
    1. All mobile and computing devices that connect to the internal network must comply with the Minimum Access Policy.
    2. System-level and user-level passwords must comply with the Password Policy. Providing access to another individual, either deliberately or through failure to secure its access, is prohibited.
    3. All computing devices must be secured with a password-protected screensaver with the automatic activation feature set to 10 minutes or less. You must lock the screen or log off when the device is unattended.
    4. Postings by employees from an email address to newsgroups should contain a disclaimer stating that the opinions expressed are strictly their own and not necessarily those of unless posting is in the course of business duties.
    5. Employees must use extreme caution when opening e-mail attachments received from unknown senders, which may contain malware.
  3. Unacceptable Use
    The following activities are, in general, prohibited. Employees may be exempted from these restrictions during the course of their legitimate job responsibilities (e.g., systems administration staff may have a need to disable the network access of a host if that host is disrupting production services).
    Under no circumstances is an employee of authorized to engage in any activity that is illegal under local, state, federal, or international law while utilizing -owned resources.
    The lists below are by no means exhaustive, but attempt to provide a framework for activities that fall into the category of unacceptable use.
    3.1  System and Network Activities
    The following activities are strictly prohibited, with no exceptions:  
    1. Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of “pirated” or other software products that are not appropriately licensed for use by.
    2. Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which or the end-user does not have an active license is strictly prohibited.
    3. Accessing data, a server or an account for any purpose other than conducting business, even if you have authorized access, is prohibited.
    4. Exporting software, technical information, encryption software or technology, in violation of international or regional export control laws, is illegal. The appropriate management should be consulted prior to the export of any material that is in question.
    5. Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.).
    6. Revealing your account password to others or allowing the use of your account by others. This includes family and other household members when work is being done at home.
    7. Using a computing asset to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws in the user’s local jurisdiction.
    8. Making fraudulent offers of products, items, or services originating from any account.
    9. Making statements about warranty, expressly or implied, unless it is a part of normal job duties.
    10. Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a server or account that the employee is not expressly authorized to access unless these duties are within the scope of regular duties. For purposes of this section, “disruption” includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information for malicious purposes.
    11. Port scanning or security scanning is expressly prohibited unless prior notification to Information Security is made.
    12. Executing any form of network monitoring which will intercept data not intended for the employee’s host, unless this activity is a part of the employee’s normal job/duty.
    13. Circumventing user authentication or security of any host, network or account.
    14. Introducing honeypots, honeynets, or similar technology on the network.
    15. Interfering with or denying service to any user other than the employee’s host (for example, denial of service attack).
    16. Using any program/script/command, or sending messages of any kind, with the intent to interfere with, or disable, a user’s terminal session, via any means, locally or via the Internet/Intranet/Extranet.
    17. Providing information about, or lists of, employees to parties outside.

      3.2 Email and Communication Activities
      When using company resources to access and use the Internet, users must realize they represent the company. Whenever employees state an affiliation to the company, they must also clearly indicate that “the opinions expressed are my own and not necessarily those of the company”. Questions may be addressed to the IT Department

    1. Sending unsolicited email messages, including the sending of “junk mail” or other advertising material to individuals who did not specifically request such material (email spam).
    2. Any form of harassment via email, telephone or paging, whether through language, frequency, or size of messages.
    3. Unauthorized use, or forging, of email header information.
    4. Solicitation of email for any other email address, other than that of the poster’s account, with the intent to harass or to collect replies.
    5. Creating or forwarding “chain letters”, “Ponzi” or other “pyramid” schemes of any type.
    6. Use of unsolicited email originating from within ‘s networks of other Internet/Intranet/Extranet service providers on behalf of, or to advertise, any service hosted by or connected via ‘s network.
    7. Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam).

      3.3 Blogging and Social Media

    1. Blogging by employees, whether using ’s property and systems or personal computer systems, is also subject to the terms and restrictions set forth in this Policy. Limited and occasional use of ’s systems to engage in blogging is acceptable, provided that it is done in a professional and responsible manner, does not otherwise violate ’s policy, is not detrimental to ’s best interests, and does not interfere with an employee’s regular work duties. Blogging from ’s systems is also subject to monitoring.
    2. ’s Confidential Information policy also applies to the blog. As such, Employees are prohibited from revealing any confidential or proprietary information, trade secrets or any other material covered by ’s Confidential Information policy when engaged in blogging.
    3. Employees shall not engage in any blogging that may harm or tarnish the image, reputation and/or goodwill of and/or any of its employees. Employees are also prohibited from making any discriminatory, disparaging, defamatory or harassing comments when blogging or otherwise engaging in any conduct prohibited by ’s Non-Discrimination and Anti-Harassment policy.
    4. Employees may also not attribute personal statements, opinions or beliefs to when engaged in blogging. If an employee is expressing his or her beliefs and/or opinions in blogs, the employee may not, expressly or implicitly, represent themselves as an employee or representative of . Employees assume any and all risks associated with blogging.
    5. Apart from following all laws pertaining to the handling and disclosure of copyrighted or export controlled materials, ’s trademarks, logos and any other intellectual property may also not be used in connection with any blogging activity
  4. Policy Compliance
    1. Compliance Measurement: The Infosec team will verify compliance with this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.
    2. Exceptions: Any exception to the policy must be approved by the Infosec team in advance.
    3. Non-Compliance: An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

—————————End of example—————————————

Return of Assets

It is critical that organizations protect their information on the equipment of employees when their employment is terminated. Make sure all relevant information that will be needed by the institution is preserved, but all information on the asset is erased. Develop an employee exit checklist that addresses the return of all institutional assets, physical or information, before the employee’s last day. There are, of course, emergency situations dealing with immediate termination that may not lend themselves to a measured checklist. Create a simple checklist for those instances as well. Get to know a resource in your HR area and work with that resource to incorporate physical and electronic assets at termination.

As stated before, assets can be a variety of items. Employee knowledge is also an information asset to the organization. Preserve their relevant knowledge, document, before the individual leaves the institution, and ensure that knowledge is in the organization’s possession. Once again, use the checklist to incorporate this aspect of asset return. A sample may include:

  • The employee has returned all computing equipment to IT.
  • IT will preserve the information on the equipment by copying to an external drive or employee group shared file server. Preserved information will be given to the employee’s supervisor.
  • The employee has transferred all institutional information from his/her personal equipment and given that to their supervisor.
  • Employee rights to information assets have been terminated as of this date.
  • Employee knowledge transfer has occurred.

Don’t forget about the contractors, consultants, or any other external third party upon termination of contract or agreement. The same rules apply. You may wish to have a separate asset security checklist for all external agents and ensure this information is part of their contract or agreement.

 A.8.2 Information classification


To ensure that information receives an appropriate level of protection in accordance with its importance to the organization.

A.8.2.1 Classification of information


Information should be classified in terms of legal requirements. value, criticality, and sensitivity to unauthorized disclosure or modification.

Implementation Guidelines:

Classifications and associated protective controls for information should take account of business needs for sharing or restricting information, as well as legal requirements. Assets other than information can also be classified in conformance with the classification of information that is stored in, processed by, or otherwise handled or protected by the asset. Owners of information assets should be accountable for their classification. The classification scheme should include conventions for classification and criteria for review of the classification over time. The level of protection in the scheme should be assessed by analyzing confidentiality, integrity, and availability, and any other requirements for the information considered. The scheme should be aligned with the access control policy. Each level should be given a name that makes sense in the context of the classification scheme‘s application. The scheme should be consistent across the whole organization so that everyone will classify information and related assets in the same way, have a common understanding of protection requirements, and apply for the appropriate protection.

The classification should be included in the organization’s processes, and be consistent and coherent across the organization. Results of classification should indicate the value of assets depending on their sensitivity and criticality to the organization, e.g. in terms of confidentiality, integrity, and availability. Results of classification should be updated in accordance with changes in their value, sensitivity, and criticality through their life-cycle. Classification provides people who deal with information with a concise indication of how to handle and protect it. Creating groups of information with similar protection needs and specifying information security procedures that apply to all the information in each group facilitates this. This approach reduces the need for case-by-case risk assessment and custom design of controls.

Information can cease to be sensitive or critical after a certain period of time. for example, when the information has been made public. These aspects should be taken into account. as over-classification can lead to the implementation of unnecessary controls resulting in additional expense or on the contrary under-classification can endanger the achievement of business objectives. An example of an information confidentiality classification scheme could be based on four levels as follows:
a) disclosure causes no harm;
b) disclosure causes minor embarrassment or minor operational inconvenience;
c) disclosure has a significant short term impact on operations or tactical objectives;
d) disclosure has a serious impact on long-term strategic objectives or puts the survival of the organization at risk.

A.8.2.2 Labelling of information


An appropriate set of procedures for information labeling should be developed and implemented in accordance with the information classification scheme adopted by the organization.

Implementation Guidelines:

Procedures for information labeling need to cover information and its related assets in physical and electronic formats. The labeling should reflect the classification scheme established in 8.2.1. The labels should be easily recognizable. The procedures should give guidance on where and how labels are attached in consideration of how the information is accessed or the assets are handled depending on the types of media. The procedures can define cases where labeling is omitted, e.g. labeling of non-confidential information to reduce workloads. Employees and contractors should be made aware of labeling procedures. The output from systems containing information that is classified as being sensitive or critical should carry an appropriate classification label. Labeling of classified information is a key requirement for information sharing arrangements. Physical labels and metadata are a common form of labeling. Labeling information and its related assets can sometimes have negative effects. Classified assets are easier to identify and accordingly to steal by insiders or external attackers.

A.8.2.3 Handling of assets


Procedures for handling assets should be developed and implemented in accordance with the information classification scheme adopted by the organization.

Implementation Guidelines:

Procedures should be drawn up for handling processing, storing, and communicating information consistent with its classification. The following items should be considered:

  1. access restrictions supporting the protection requirements for each level of classification
  2. maintenance of a formal record of the authorized recipients of assets
  3. protection of temporary or permanent copies of information to a level consistent with the protection of the original information
  4. storage of IT assets in accordance with manufacturers’ specifications;
  5. clear marking of all copies of media for the attention of the authorized recipient.

The classification scheme used within the organization may not be equivalent to the schemes used by other organizations. even if the names for levels are similar in addition, information moving between organizations can vary in classification depending on its context in each organization, even if there classification schemes are identical. Agreements with other organizations that include information sharing should include procedures to identify the classification of that information and to interpret the classification labels from other organizations.

Data Protection and Privacy of Personal Information (Records Management)

The valuable data every organization needs to be protected commensurate with how it is classified. Customers, employees, and vendors entrust the organization with a given data set and there is an implied bargain that the data so entrusted will be protected from any use or disclosure other than as agreed to when the data was given. To do this, each organization has to govern the data it uses so that it will be received, made, used, stored, shared, or destroyed in a purposeful manner that recognizes the pact to protect data in its’s daily mission. Areas to consider in a data governance program include:

  • Sensitivity Level. An Organization should be classifying data as to sensitivity to assure that proper security protection is in place appropriate with the given data set.
  • Retention Period. Consistent with records management practices, an organization needs to be aware of the period in which data is to be retained, to assure that data’s availability and integrity for that retention period.
  • Data Utilization. In every part of an organization that controls a given data set, appropriate procedures for how that data is utilized must be established. This includes access restrictions, proper handling, logging, and auditing.
  • Data Back-up. How an Organization creates back-up copies of data and software is a critical element. Procedures need to be in the place that memorializes and verify the implementation and inventory of back-up copies.
  • Management of Storage Media. Processes to ensure proper management of storage media, including restrictions of types of media, audit trails for movement of media, secure disposal of media no longer in use, and redundant storage.
  • Electronic Data Transfers.
  • Disposal of Media.

Information Asset Importance

Information assets may not be equally important, nor equally sensitive or confidential in nature, nor require the same care in handling. One common method of ascertaining the importance of assets is data classification. Information assets should be classified according to their need for security protection and labeled accordingly. To begin to start with federal or state laws, regulations, rules, or institutional policies that require certain information assets to be protected.  Pick a classification metric. Keep it simple. You may want to use something like (lowest to highest)

Public, Restricted, Confidential

Asset Protection

Different assets have different impacts on the continuity and reputation of the organization. Once you have determined the importance of your various organizational assets, you can begin the process of determining how best to protect them. Many methods are employed to protect assets, ranging from policies to technical security controls. Additionally, assets must be protected throughout their life cycle, from creation or purchase through final disposal or long-term storage. Protection measures range from addressing purchasing controls to managing access by appropriate personnel to ensuring adequate physical security for assets throughout their lifetime.

Some organization has established Data Stewardship policies to help ensure responsibilities for protecting data are effectively accomplished. Other organizations conduct regular security assessments of assets considered to be critical for the functioning of an organization. They may also address asset protection through physical security measures, or through background checks for newly hired and continuing personnel.

Labeling of Information

Do you have your information and physical assets labeled?

Your Organization may already have property control of assets where items over a certain dollar amount are automatically tagged with a unique, usually numeric, identifier by Property Control. If not, create one yourself. Use your newly created inventory of assets to assign a unique identifier to each one. Prepare labels that are easy to recognize and sturdy, and attach them to a visible place on the equipment. Make sure you clarify when labels should not be used on equipment. This could be based on the dollar amount or the level of risk you’ve assigned to the asset. Information needs labeling as well. Develop your information labeling procedures based on the data classification schema you developed previously. Metadata is a common type of information label. Do be careful how you manage the information you may have labeled as restricted or confidential. Because of the labeling, be careful how you manage restricted/sensitive or confidential information. It is much easier to steal or misuse when the assets are easy to identify.

Handling of Assets

Is information being handled and protected according to its classification?

Now that you have your assets identified, classified, and labeled, you will need to develop procedures for handling assets associated with your information and information processing facilities. It is important that your asset handling procedures respect and reflect how you classified it. Ensure that

  • Information is handled and protected according to its classification. This includes sharing with external entities.
  • There are procedures to control classified information. Clarify how yours, and perhaps others’, classifications should be interpreted.
  • Information is stored, processed, transmitted and copied according to its classification. Copies should get the same protections.
  • Access restrictions are designed for each level of classification. Restrictions must meet protection requirements.
  • There is a formal record of the authorized recipients of the assets. Specify who the authorized recipient should be. Label media copies appropriately.

All of the above bullet points can be incorporated into one procedural access handling document. Remember, keep it simple so others will be able to understand and comply with the requirements. Hold a session with your information and physical asset owners so they can help you define the requirements. It’s important everyone feels ownership of this process.

A.8.3 Media handling


To prevent unauthorized disclosure, modification, removal or destruction of information stored on media.

A.8.3.1 Management of removable media


Procedures should be implemented for the management of removable media in accordance with the classification scheme adopted by the organization.

Implementation Guidelines:

The following guidelines for the management of removable media should be considered:

  1. if no longer required, the contents of any re-usable media that are to be removed from the organization should be made unrecoverable.
  2. where necessary and practical, authorization should be required for media removed from the organization and a record of such removals should be kept in order to maintain an audit trail.
  3. all media should be stored in a safe, secure environment, in accordance with manufacturers’ specifications.
  4. if data confidentiality or integrity are important considerations. cryptographic techniques should be used to protect data on removable media.
  5. to mitigate the risk of media degrading while stored data are still needed, the data should be transferred to fresh media before becoming unreadable.
  6. multiple copies of valuable data should be stored on separate media to further reduce the risk of coincidental data damage or loss.
  7. registration of removable media should be considered to limit the opportunity for data loss.
  8. removable media drives should only be enabled if there is a business reason for doing so.
  9. where there is a need muse removable media the transfer of information to such media should be monitored.

Procedures and authorization levels should be documented.

A.8.3.2 Disposal of media


Media should be disposed of securely when no longer required, using formal procedures.

Implementation Guidelines:

Formal procedures for the secure disposal of media should be established to minimize the risk of confidential information leakage to unauthorized persons. The procedures for the secure disposal of media containing confidential information should be proportional to the sensitivity of that information. The following items should be considered:

  1. media containing confidential information should be stored and disposed of securely. e.g. by incineration or shredding. or erasure of data for use by another application within the organization;
  2. procedures should be in place to identify the items that might require secure disposal;
  3. it may be easier to arrange for all media items to be collected and disposed of securely, rather than attempting to separate out the sensitive items;
  4. many organizations offer collection and disposal services for media; care should be taken in selecting a suitable external party with adequate controls and experience;
  5. disposal of sensitive items should be logged in order to maintain an audit trail. 

When accumulating media for disposal. consideration should be given to the aggregation effect, which can cause a large quantity of non-sensitive information to become sensitive.
Damaged devices containing sensitive data may require a risk assessment to determine whether the items should be physically destroyed rather than sent for repair or discarded.

A.8.3.3 Physical media transfer


Media containing information should be protected against unauthorized access, misuse or corruption during transportation.

Implementation Guidelines:

The following guidelines should be considered to protect media containing the information being transported:

  1. reliable transport or couriers should be used
  2. a list of authorized couriers should be agreed with management.
  3. procedures to verify the identification of couriers should be developed.
  4. packaging should be sufficient to protect the contents from any physical damage likely to arise during transit and in accordance with any manufacturers‘ specifications, for example protecting against any environmental factors that may reduce the media’s restoration effectiveness such as exposure to heat, moisture or electromagnetic fields.
  5. logs should be kept, identifying the content of the media, the protection applied as well as recording the times of transfer to the transit custodians and receipt at the destination.

Information can be vulnerable to unauthorized access, misuse or corruption during physical transport, for instance when sending media via the postal service or via courier. In this control, the media include paper documents. When confidential information on media is not encrypted, additional physical protection of the media should be considered.

Management of Removable Media

Integrate necessary controls to manage media items, whether tapes, disks, flash disks, or removable hard drives, CDs, DVDs, or printed media, to ensure the integrity and confidentiality of university data. Guidelines should be developed and implemented to ensure that media are used, maintained, and transported in a safe and controlled manner. Handling and storage should correspond with the sensitivity of the information on the media. Procedures to erase media if no longer needed, to ensure information is not leaked, are also important.


Procedures for handling classified information should cover the appropriate means of its destruction and disposal. Serious breaches of confidentiality occur when apparently worthless disks, tapes, or paper files are dumped without proper regard to their destruction.

Information Handling Procedures

Procedures for handling and storage of sensitive information, together with audit trails and records, are important. Accountability should be introduced and data classification and risk assessments performed, to ensure that necessary controls are applied to protect sensitive data. Appropriate access controls should be implemented to protect information from unauthorized disclosure or usage. Systems are also vulnerable to the unauthorized use of system documentation; much of this type of information should be regarded and handled as confidential. Security procedures, operating manuals, and operations records all come into this category.


Back to Home Page

If you need assistance or have any doubt and need to ask any questions contact me at You can also contribute to this discussion and I shall be happy to publish them. Your comments and suggestion are also welcome.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s