Ex Libris Asset Management Policy

Purpose and Scope

The purpose of this policy is to describe the activities related to managing devices and software assets. These assets are valued over $500 USD, that potentially maintain customer or personal data.

Reference Documents

• Ex Libris IT Security Policy
• Ex Libris Password Policy
• Ex Libris Security and Privacy Incident Response Policy

Responsibilities

• The Ex Libris Chief Information Security Officer (CISO)
  • Review and updating the process periodically.
  • Approve of the process changes.
  • Ensure that the asset management information system is implemented and working properly.
  • Ensure that the asset management activities are performed as defined.
• IT/MIS Management and Cloud Management
  • Implement the process.
  • Register new assets.
  • Maintain and managing the information about the assets.
  • Arrange for the maintenance/repair of the assets as needed.
  • Inform Finance when assets are obsoleted .
  • IT/MIS and Cloud will regular audit the asset to ensure that the asset management process is followed.
• Asset Owner
  • Confirm the receipt of assets assigned.
  • Inform the IT/MIS or Cloud if the asset is no longer needed or requires maintenance/repair work.

Definitions

• Least Privilege – principle of limiting access to the minimal level that will allow normal function.
• Segregation of Duties (SoD) – internal control designed to prevent error and fraud by ensuring that at least two individuals are responsible for the separate parts of any task. SoD involves breaking down tasks that might reasonably be completed by a single individual into multiple tasks so that no one person is solely in control.
• Need to Know – users or resources will be granted access to systems that are necessary to fulfill their roles and responsibility.
• Privileged Access – a higher level of access that includes, but is not limited to, administrator accounts, administrator group access, and administrator rights.

Policy Statement

All assets will be appropriately managed to:

o   Ensure asset ownership and responsibility

o   Track assets through their lifecycle

o   Ensure that asset information is accurate

This policy applies to all assets that are valued $500 or more, that potentially maintain customer or personal data. 

Process

Asset Registration

All new assets will be registered.

The following details will be recorded:

o   Description

o   Type;

o   Location;

o   Serial number, if applicable;

o   User/Owner;

o   For software, the renewal date

Assign asset to owner

During the asset registration process, the asset will be assigned an owner.  Shared assets will be assigned to the manager of the unit using the asset.

The asset is given to the responsible person.

Maintenance /Repair Work

Maintenance/repairs to the asset will be managed by IT/MIS and Cloud teams.

Asset Disposal

When the asset lifecycle is completed, the asset will be disposed in accordance with the Information Security Policy.  Care will be taken to ensure that all Company Confidential information has been erased from the asset.

Audit

IT/MIS and Cloud will regular audit the asset to ensure that the asset management process is followed. 

Policy Enforcement

Failure to comply with this policy may result in disciplinary action, up to and including termination of employment.

Record of Changes

Revision Control

Document Distribution and Review

The document owner will distribute this document to all approvers when it is first created and as changes or updates are made. This document will be reviewed and updated annually or upon written request by an approver or stakeholder. Questions or feedback about this document can be directed to the owner or a listed approver.