4. Asset management (ISO)

Responsibility for assets

The objective of this category is to achieve and maintain appropriate protection of organizational assets.

Inventory of assets • All significants asset should be clearly identified and accounted for in an inventory listing, and have assigned owners (contollers) who are responsible for their appropriate protection. Control includes listings of:

• type of asset, including specification of make/model/format, creation/manufacture date and any other information necessary to specify type;
• assigned owner;
• location (logical or physical location, range of physical locations if portable);
• backup information (if appropriate);
• license information (if appropriate);
• business value, security classification and level of protection; and
• any additional data necessary to allow recovery from a disaster or otherwise assure continuity of operations.

Asset types subject to this control may include, depending on organizational requirements:

• information in databases or data files, systems documentation, contracts or agreements, research information, user manuals, training materials, operational or support procedures;
• software assets, including application and system software, development tools and utilities;
• physical assets, including computer and communications equipment, fixed location and removable storage media;
• services, including general utilities like HVAC, lighting and power supply;
• people, including their qualifications and experience;
• intangibles, such as reputation and image of the organization.

Authorities: ISO-27002:2005 7.1.1.

Ownership of assets • All information and assets associated with information processing facilities should be "owned" by a designated part of the organization. Control includes:

• asset owner responsibilities for ensuring appropriate classification of and information on each owned asset; and
• definition and periodic review of access restrictions and other controls associated with the asset.

Authorities: ISO-27002:2005 7.1.2.

Acceptable use of assets • Rules for the acceptable use of information and other assets associated with information processing facilities should be identified, documented and implemented. Control includes:

• guidelines/rules for use of services (e.g., email, Internet);
• guidelines/rules for use of on-site systems and devices;
• guidelines/rules for mobile devices and non-mobile devices used off-site; and
• asset users' awareness of these guidelines/rules, including an appropriate educational program.

Authorities: ISO-27002:2005 7.1.3.

Information classification

Control objective: To ensure that information receives an appropriate level of protection.

Classification guidelines • Information and information processing facilities should be classified in terms of value and criticality to the organization, sensitivity and legal requirements. Control includes:

• assigning responsibility for the asset owner or other appropriate party to make this classification;
• periodic review to ensure that classifications appropriately reflect business needs, legal-regulatory-certificatory requirements and balance confidentiality-integrity-availability concerns again other goals.

Authorities: ISO-27002:2005 7.2.1.

Information labelling and handling • An appropriate set of procedures for information labelling and handling should be developed by each information owner, and implemented in accordance with the classification scheme(s) adopted by the organization. Control includes:

• classifications that cover information in all forms and media; and
• procedures for chain of custody;
• procedures for logging and reporting relevant security incidents and events.

Authorities: ISO-27002:2005 7.2.2.

Article By : http://privacy.med.miami.edu