All polices are formatted in WordŽ, developed to be easy to modify to fit your organizations unique requirements.

Sample Policy

word1.gif (1423 bytes)

Sample (Best Practice Policies)

Policy name: Asset Management     Revision: X1

Policy section

Purpose

The purpose of this policy is to document and classifying assets, determine value as well establishing responsibility for ownership of those assets.

Overview

Each information asset or group of information assets should have a clearly documented owner. While overall and shared resources (i.e. a network) may be owned by IT, certain specific assets (such as a business unit application) should be owned by an appropriate business owner. Risk assessments should be done for each asset and documented rules should be in place for those assets.

Scope

The scope of this policy includes all personnel. Those managers that own information assets will rely on risk assessments will establish classifications based upon need and vulnerability. Those in charge of security will assist in establishing and documenting rules for each classification. Management will communicate and monitor all personnel's understanding and adherence.

Policy

The intent of the Asset Management Policy is to identify responsibility for the protection, maintenance and monitoring of the organization's Information assets. The objective of this policy is to assure that ownership of all assets is established and maintained so as to determine and protect their financial and business worth to the organization.

Policy details

  • All information assets with in the organization will be assigned an owner.
  • The owner of each asset shall determine both the financial value of asset as well as the value of the asset for the organization.
  • All third party information assets used by the organization will be assigned a manager.
  • The manager of each third party asset shall determine both the financial value of asset as well as the value of the asset for the organization.
  • The owner of each asset shall be responsible for selection, establishing approved vendors/sources, installation, maintenance, insurance, upgrades, repair, deactivation, retirement, and disposal.)
  • The owner shall work with IT and other functional managers to determine appropriate and authorized access and use.
  • List additional security controls below:

Violation - Consequences section

Consequences for failure to follow this policy:     Employee support of our written IT security polices is the corner stone in implementing and maintaining a security IT infrastructure. Consequences of failure to comply with IT Security policies may include: loss of access rights, verbal warnings, written warnings, discipline up to and including employment termination and/or prosecution.

Report violations to:     Violations to the this IT Security policy will be immediately reported to the (Variables) IT Security Coordinator, violators Manager, Department manager, Asset owner, Executive Management, Human Resources, Law Enforcement Authorities. Violations will be reported via: E-mail, IM’s, phone, fax, paging, physically tracking down appropriate personal.

 

 

160_last_page.gif (1721 bytes)