Connor Group Information Security

 

Asset Management

 

 

December 2023

 

v.1.0

 

 

Introduction

At Connor Group, Asset Management is a cornerstone of technical operations to ensure protection of company IT assets. Asset management is driven by three primary imperatives: risk mitigation, resource optimization, and compliance adherence. By maintaining an accurate inventory of IT assets, we can identify vulnerabilities, assess potential threats, and implement security measures to mitigate risks. Asset management also enables IT to scope protections and support to approved devices and software, helping assets perform at peak efficiency while remediating efforts on legacy systems. Lastly, Connor Group must maintain an accurate asset inventory to comply with industry and security compliance requirements. 

 

Asset management includes tracking the lifecycle of computing hardware, networking equipment, software, and SaaS providers used by the business. This standard codifies expectations for tracking of physical and digital assets. This is one of a set of documents that together, form Connor Group's Information Security Management System (ISMS). 

 

Purpose

The purpose of this Standard is to provide expectations and requirements for Asset Management at Connor Group.

 

Scope

This Standard applies to computer endpoint systems (desktop, laptop, and VDI systems used by CG employees to access Connor Group networks), server-class systems owned or operated by Connor Group IT, and SaaS systems holding or processing Connor Group production data. 

 

This Standard defines the term “IT Systems” in-scope to include: 

  • Network Devices (e.g., Switches/Routers/Firewalls)
  • Servers, both physical and virtual 
  • Desktop Systems, both physical and virtual 
  • Storage Solutions (e.g. File servers, NAS)
  • Company Removable Media (e.g. MicroSD cards, USB drives)
  • Approved Software

 

This Standard defines the term “IT Systems” out-of-scope to exclude:

  • Smartphones (e.g., iPhones, Androids, etc.)
  • Tablets (e.g., iPads)

 

All staff and Third Parties responsible for the management of IT Systems must understand and follow the requirements herein. 

 

In the event of uncertainty regarding the applicability of this Standard, contact Information Security for clarification and/or guidance at [email protected].  

 

Definitions

References for terminologies or acronyms used within Information Security Standards can be accessed within the Glossary of Definitions (https://helpdesk.connorgp.com/a/solutions/articles/11000112202)

 

Standard

Adherence to requirements in this standard is mandatory.

 


 

 

1. Asset Management Database (AMDB)

 

Ref

Requirement

1.1

Connor Group shall maintain an Asset Management Database that shall contain records for the following company managed assets, at a minimum:

  1. Laptops and VDI instances
  2. Servers (Physical and virtual)
  3. Networking Equipment (physical and virtual)
  4. Approved Software

 

1.2

Asset Management Records shall contain the following information where applicable:

  1. Asset-ID
  2. Type
  3. Owner
  4. Used By
  5. Serial / Version
  6. Production Status (Test/Dev/Prod/Decommissioned/Non-provisioned, etc.)
  7. Location
  8. Warranty Expiration or Divestiture Date
  9. Dependency

 

1.3

Asset names shall be unique within the system and follow naming conventions prescribed by IT.

1.4

Access to the AMDB shall be restricted to authorized individuals.

1.5

Changes to the AMDB shall be logged in accordance with the Auditing and Logging Standard.

 

2. Asset Monitoring and Management

 

Ref

Requirement

2.1

An asset management agent shall be utilized by managed assets to automatically and regularly report in to the management database, where feasible.

2.2

The physical asset inventory shall be regularly reviewed for accuracy, with discrepancies investigated and remediated.

2.3

Software use on managed systems shall be regularly reviewed and contrasted against the approved software inventory. 

Unapproved software shall be reviewed with Information Technology and Information Security to determine remediation actions as necessary.

2.4

A formal process shall exist for adding assets into inventory and a formal process shall exist for removing assets from inventory.

2.5

Decommissioning of an asset shall include a formal process to securely delete any confidential data from the asset prior to removal of the asset from the AMDB.

 

Compliance

Information Security team shall verify compliance to this policy through various methods, including but not limited to, walk-throughs, environment sampling, process review, monitoring, business tool reports, internal and external audits, and through feedback to the policy owner. 

 

Any exceptions to this Standard require a formally approved exemption documenting justification and approval against compliance to this Standard. Exemption approvals are required prior to the System entering live operation.

 

The following are required to adhere to this Standard, except where a formal exception has been granted as above: 

  • All Connor Group Systems and employees, independent contractors, and subcontractors. Any individual found to have violated this Standard may be subject to disciplinary actions including termination and legal recourse. 
  • Any Third-Party System that is used to support Connor Group data and/or Services. Any Third Party that violates this Standard will be considered to have breached their contract with the Connor Group. 

 

Revision History

Revisions require approval by the Director of Information Security and dissemination to applicable business units prior to release.

 

Version 

Detail 

Author 

Date 

1.0

Formal review and acceptance of the Standard

Connor Group Information Security

Dec 2023