Versions Compared

Version Old Version 11 New Version Current
Changes made by

Daniel Alexander

Bruno Belizario

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Page Properties

Version

12.0

Owner

Head of EngineeringCTO

Last Updated on

Last Updated by

Daniel Alexander Bruno Belizario

Approved by

Raphael Santos

Last Review

Purpose

The purpose of the IT Asset Management Policy is to maintain accurate records of ecoPortal’s physical and digital computer assets. This document establishes procedures to ensure compliance with government regulations, legal industry standards and to ensure accurate reporting of physical assets. This policy will apply to all computer equipment and related assets purchased and handled by ecoPortalTo identify organizational assets and define appropriate protection responsibilities. To ensure that information receives an appropriate level of protection in accordance with its importance to the organization. To prevent unauthorized disclosure, modification, removal, or destruction of information stored on media.

Info

For any questions relating to this document or our Security & Privacy, please contact us at issues@ecoportal.co.nz

Safeguarding Responsibilities - Physical Assets

All items purchased will be recorded and maintained on a Fixed Asset Register by the IT Department. In order to manage the register accurately and efficiently, all employees shall adhere to the following;

  1. Employees of ecoPortal shall not remove IT assets supplied by the firm from company premises, except under the following conditions:

    1. IT assets assigned to employees, which may include laptop or tablet computers and Personal Digital Assistant (PDA) or Smartphone devices, may be removed for the following reasons only:

  • Teleworking.

  • Work that is outside of the office that is a part of an assigned position.

Exceptions to this policy must be requested in writing and approved by the Director of Information Security. Documentation of exceptions shall include the business or technical justification and the duration of the exception.

  1. ecoPortal’s employees are responsible for safeguarding any IT assets they remove from the building, including keeping these assets under their direct physical control whenever possible, and physically securing the assets when they are not under the employee’s direct physical control.

  2. ecoPortal’s employees must immediately report the loss or theft of any assigned IT assets to the IT Department.

  3. ecoPortal’s employees are not allowed to bring their own IT assets into work locations with the purpose of connecting to the firm’s private network and data.

    1. In general, connection of personal IT assets to networks provided by the firm for guest or public access is not allowed.

    2. Exceptions to this policy must be documented in writing and approved by the Director of Information Security. Documentation of exceptions shall include the business or technical justification and the duration of the exception.

Safeguarding Responsibilities - Digital Assets

  1. ecoPortal ensures that all client data is:

    1. Stored in a secure facility, both physically as digitally

    2. Accessed end-to-end only in a secure and encrypted manner

    3. Backed up in a secure and encrypted fashion

    4. Not removed unless requested by the client considering the technical abilities
      (nature of the backup system)

  1. All ecoPortal employees handling client data must ensure that:

    1. All client data is accessed only over secure channels

    2. (HTTPS or SFTP with or without MFA)

    3. All client data received from or sent to clients is done so in an encrypted manner

    4. (GPG)

    5. All client data is stored on encrypted drives and/or folders

    6. All client data is removed from said drives/folders at the earliest opportunity and the “trash can” is cleared

    7. Any and all devices accessing client data are password locked when they walk away from their device

    8. Any and all mobile devices accessing client data are logged out of ecoPortal at the earliest opportunity

Disposal of Assets

...

Disposal of ecoPortal’s assets, including the sale, transfer, donation, write off or sustainable disposal (recycling), must be done in adherence with all federal, state and local regulations.

...

Computer hardware must have all software and information securely removed prior to disposal.

...

Highly sensitive data must be deleted using secure methods as soon as they are no longer required.

...

Scope

This policy applies to all ecoPortal owned or managed information systems.

Inventory of Assets

Assets associated with information and information processing facilities that store, process, or transmit classified information shall be identified and an inventory of these assets shall be created and maintained.

Ownership of Assets

Assets maintained in the inventory shall be owned by a specific individual or group within ecoPortal.

Acceptable Use of Assets

Rules for the acceptable use of information, assets, and information processing facilities shall be identified and documented in the Information Security Policy.

Loss or Theft of Assets

All ecoPortal personnel must immediately report the loss of any information systems, including portable or laptop computers, smartphones, PDAs, authentication tokens (keyfobs, one-time-password generators, or personally owned smartphones or devices with a ecoPortal software authentication token installed) or other devices that can store and process or help grant access to ecoPortal data.

Return of Assets

All employees and third-party users of ecoPortal equipment shall return all of the organizational assets within their possession upon termination of their employment, contract, or agreement.

Handling of Assets

Employees and users who are issued or handle ecoPortal equipment are expected to use reasonable judgment and exercise due care in protecting and maintaining the equipment.

Employees are responsible for ensuring that company equipment is secured and properly attended to whenever it is transported or stored outside of company facilities.

All mobile devices shall be handled in accordance with the Information Security Policy.

Excepting employee-issued devices, no company computer equipment or devices  may be moved or taken off-site without appropriate authorization from management.

Asset Disposal & Re-Use

Company devices and media that stored or processed confidential data shall be securely disposed of when no longer needed. Data must be erased prior to disposal or re-use, using an approved technology in order to ensure that data is not recoverable. Or a Certificate of Destruction (COD) must be obtained for devices destroyed by a third-party service.

Please refer to NIST Special Publication 800-88 Revision 1 “Guidelines for Media Sanitization” in order to select which methods are appropriate.

Exceptions

Requests for an exception to this policy must be submitted to the CTO for approval.

Violations & Enforcement

Any known violations of this policy should be reported to the CTO. Violations of this policy can result in immediate withdrawal or suspension of system and network privileges and/or disciplinary action in accordance with company procedures up to and including termination of employment.