Inventory and Accountability Policy - Application Security Scope
Assets
Inventory of Assets – The organization will inventory and track all assets, physical and digital, that are used to view or store confidential information annually. The asset inventory will include all systems connected to the network and network devices themselves. Examples of items to be inventoried could be desktop workstations, laptops, servers, network equipment (routers, switches, firewalls, etc.), printers, storage area networks, telephony, confidential data, etc.
Acquisition of Assets – Prior to the acquisition of any new hardware, software, or other equipment and during transitions to new systems or following a failure or disaster, information security and other relevant business considerations will be addressed.
Data as an Asset – Data is also considered an asset and shall be tracked accordingly. Data shall be stored in accordance with all data security and privacy policies and the location of all covered data, regardless of classification or encryption status, shall be maintained and monitored.
Inventory
Inventory Documentation – The asset inventory will remain accurate and contain, at a minimum, the following information for each asset:
Unique name/identifier
Purpose of each asset
Type of asset (data/information, workstation, laptop, mobile device, etc.)
Asset ownership responsible for the data or device
The primary user of the asset (if applicable)
Department associated with the data or device
IP address (if applicable)
MAC address (if applicable)
Security/Sensitivity Classification
Format (Windows, MAC, etc.)
Location
Backup information
License information
Encryption Keys
Responsibility – The Security Officer or their designee shall be responsible for the generation, storage, and management of encryption keys and any equipment used to generate keys. Encryption keys shall be protected against modification, loss, destruction, and disclosure.
Procedures
Creating/Managing Inventory
The Security Officer is responsible for maintaining an inventory of servers, workstations, laptops, and other devices used to store, create, modify, delete or transmit confidential information.
An inventory of hardware assets will occur at least on a quarterly basis and will be updated when a server or other device is removed from use, moved to a different location, assigned to another workforce member, or assigned for use other than to store/access confidential information; or when a new device is assigned to an office or workforce member.
Workforce members are not allowed to move the hardware to a new location or use the hardware for other than its intended purpose without the approval of organization management. Proper inventory documentation will be completed prior to any move or change in use.
The inventory will include the hardware currently in use, where the hardware is located, who is authorized to use the hardware, and what the hardware is used for.
Any hardware device no longer in use or deemed no longer usable will be removed from the inventory.
Any changes in the use, assignment or location of any hardware device will be noted in the inventory.
Any new hardware put into use will be documented in the inventory.
The hardware inventory will be readily available to proper members of the workforce for use in disaster recovery planning, risk assessment and management, audit, and other appropriate activities.
The Security Officer will be held accountable for the accuracy of the inventory.
Encryption keys shall be stored in a location only accessible by authorized personnel. Keys should be appropriately backed up and protected against modification, destruction, or loss via file/folder-level permissions.