Information Asset Management Standard

Scope

This Standard applies to all Employees and Third-parties who access, process or store Corporate Group’s Information Assets.

Management of Information Assets

Information Asset Identification

Information Assets associated with Corporate Group’s information and information processing facilities are identified and inventory of these are maintained in Information Assets Register.

Identified Information Assets have recognizable and manageable value, risk, content and lifecycles.

An Information Asset is a body of information, defined and managed as a single unit, so that it can be understood, shared, protected and utilized effectively both in digital and physical format.

Information Assets segregation in Corporate Group:

• Information assets

• Supporting assets

  • Hardware

  • Software

  • People

  • Buildings

• Intangible assets (e.g. brand and reputation)

Information Asset Register

Identified Information assets are documented in the Information Asset Register.

In practice, a number of information asset registers may develop and exist (e.g., product, departmental, process, workplace equipment).

All critical information assets are identified and included in the Information Asset Register, together with details of

• Name of asset

• Asset/information ‘type’

• Data which is held and or data flows (including asset/information provider)

• Classification of information held in asset

• Is personal information held in asset

• Location of asset

• The owner of the asset

• Asset impact level to confidentiality, integrity and availability

• Disaster recovery plans are in place

• Planned reviews and or audits

The Information Asset Register should be reviewed at least every 6 months or when changes have been made to assets, owners or organizational situations.

Information Asset Disposal

Information Assets must be disposed of securely when no longer required.

Workplace, office equipment data storage devices and removable media must be safely erased or destroyed.

Cloud-providers must provide time-stamped, signed message attesting to the steps that have been taken to delete the data in information assets.

Logs of erasure or destroy fact must be saved and stored for audit trail.

Third-parties may be taken for secure disposal of information.

Handling of Information Assets

Information assets must be handled according to Acceptable Use of Information.

Information Risk Assessment of Information Assets

Risk assessments will be performed for Critical Information Assets according to Information Security Risk Management Standard.

Bring Your Own Devices (BYOD) Requirements

Employees may use their own mobile devices (e.g., mobile phones, tablets) to access Corporate Group’s noncritical Information Assets (e.g., Slack, Gmail).

It is forbidden to access Corporate Group’s Critical Information Assets with BYOD (e.g., source code repositories).

Employees must be trained to raise their awareness of the controls that must be implemented using BYOD.

Corporate Group may use additional software security measures to control BYOD, including but not limiting:

• Separation of private and business use environments

• Business data encryption

• Remote business data erasure

Roles and Responsibilities

Information Asset Owner

The Information Asset Owners of an Information Asset are those employees who have primary responsibility for the viability and survivability of the Information Asset.

The Information Asset Owner is a senior person within an organization with sufficient authority and/or officially designated as accountable for a specific business process / function within an organization.

The responsibilities of the Information Asset Owner are as follows:

• Updating of Information Asset Inventory Register

• Identifying the classification level of Information Asset

• Defining and implementing appropriate security measures to ensure the confidentiality, integrity, and availability of the Information Asset

• Assessing and monitoring security measures to ensure their compliance and report situations of non-compliance

• Authorizing access to those who have a business need for the information in the Information Asset

• Ensuring access is removed from Users who no longer have a business need for the information in the Information Asset

• Complete and or attend training around information asset management and responsibilities

An Information Asset Owner may delegate these security responsibilities, but the Information Owner remains ultimately responsible for the protection of the asset.

Custodian

The Custodian of an Information Asset is Employees or designated Third-parties responsible for the operation and management of information systems which collect, manage, process, or provide access to the Corporate Group.

The responsibilities of the Custodian are as follows:

• Applying security measures appropriate to the classification level of Information Assets in their custody

• Complying with applicable Corporate Group’s information security policies, standards, processes, and procedures

• Managing Users access to Information Asset

• Following data handling and protection policies and procedures

Users

The Users are Employees and Third-parties who have been granted access to Information Asset in order to perform assigned duties or in fulfillment of assigned roles or functions for the Corporate Group.

The responsibilities of the Users are as follows:

• Following, complying with Corporate Group information security policies, standards, processes, and procedures, also implementing security measures for protecting information in Information Asset

• Reporting any unauthorized access to Information Assets and/or information misuse from Information Assets to the Information Security Team for remediation.

Review and Update

This Standard must be maintained in accordance with the Information Security Policy.

Revision History